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ABSTRACT 


This  is  the  first  in  a  scries  of  reports  describing  the  application  of  temporal  logic  to  the 
specification  and  verification  of  concurrent  programs. 

We  first  introduce  temporal  logic  as  a  tool  for  reasoning  about  sequences  of  states.  Models 
of  concurrent  programs  based  both  on  transition  graphs  and  on  linear-text  representations  are 
presented  and  the  notions  of  concurrent  and  fair  executions  are  defined. 

The  general  temporal  language  is  then  specialized  to  reason  about  those  execution  sequences 
that  are  fair  computations  of  a  concurrent  program.  Subsequently,  the  language  is  used  to  describe 
properties  of  concurrent  programs. 

The  set  of  interesting  properties  is  classified  into  invariance  (safety),  eventuality  (liveness), 
and  precedence  (until)  properties.  Among  the  properties  studied  arc:  partial  correctness,  global 
invariance,  clean  behavior,  mutual  exclusion,  absence  of  deadlock,  termination,  total  correctness, 
intermittent  assertions,  accessibility,  responsiveness,  safe  liveness,  absence  of  unsolicited  response, 
fair  responsiveness,  and  precedence. 

In  the  following  reports  of  this  series,  we  will  use  the  temporal  formalism  to  develop  proof 
methodologies  for  proving  the  properties  discussed  here. 
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INTRODUCTION 


Temporal  logic  is  a  special  branch  of  logic  that  deals  with  the  development  of  situations  in 
time.  Whereas  ordinary  logic  is  adequate  for  describing  a  static  situation,  temporal  logic  enables 
us  to  discuss  how  a  situation  changes  due  to  the  passage  of  time.  An  execution  of  a  program  is 
precisely  a  chain  of  situations,  called  execution  states,  that  undergo  a  scries  of  transformations 
determined  by  the  program’s  instructions.  This  suggests  that  temporal  logic  is  an  appropriate  tool 
for  reasoning  about  the  execution  of  programs.  The  special  advantage  of  this  approach  is  that  it 
enables  us  to  formalize  the  entire  execution  of  a  program  and  not  just  the  function  or  relation  it 
computes. 

The  temporal  logic  approach  offers  special  advantages  for  the  formalization  and  analysis  of 
the  behavior  of  concurrent  programs.  Concurrent  programs  have  long  been  a  difficult  subject  to 
formalize  and  have  often  defied  generalization  of  methods  that  worked  perfectly  for  sequential 
programs. 

One  inherent  difficulty  in  analyzing  a  concurrent  program  is  that  when  combining  two  processes 
to  be  run  in  parallel,  we  cannot  infer  the  input-output  relation  computed  by  the  combined  program 
from  just  the  input-output  relations  computed  by  each  of  the  individual  component  processes.  The 
obvious  reason  for  this  is  that,  running  in  parallel,  the  processes  may  interfere  with  one  another, 
altering  the  behavior  each  would  have  when  run  alone.  Consequently,  in  order  for  any  approach 
to  stand  a  chance  of  success,  it  must  deal  with  more  than  the  input-output  relation  computed  by 
a  program.  It  should  be  concerned  with  execution  sequences  in  one  form  or  another,  as  well  as  be 
able  to  discuss  mid-exccution  events. 

Another  inherent  difficulty  is  the  discontinuity  associated  with  the  simulation  of  concurrency 
by  multiprogramming.  A  very  coavcnicnt  and  widely  used  model  of  real  concurrency  is  to  regard 
the  participating  events  as  composed  of  many  atomic  basic  steps.  Then  instead  of  requiring  that 
these  basic  steps  occur  concurrently,  we  consider  sequences  in  which  these  steps  are  interleaved  in 
all  possible  ways.  The  problem  with  modelling  concurrency  by  multiprogramming  (interleaving) 
is  that  without  further  restrictions  a  certain  process  can  be  discriminated  against  by  having  its 
execution  continually  delayed.  Disallowing  this  discrimination  introduces  a  discontinuity  into  the 
set  of  interleaved  execution  sequences. 

Consequently,  any  approach  which  is  based  strongly  on  the  concept  of  continuity,  such  as 
the  denotational  approach  or  equivalent  relational  ones,  is  bound  to  face  severe  difficulties  when 
extended  to  deal  with  concurrency. 

Temporal  logic  avoids  both  these  difficulties  by  (a)  being  geared  from  the  start  to  analyze 
and  formalize  properties  in  terms  of  execution  sequences,  and  ( b )  not  being  based  on  limits  and 
assumptions  of  continuity.  In  fact,  it  can  very  easily  and  naturally  express  such  concepts  as 
“eventually”  which  describes  an  event  arbitrarily  ahead  in  the  future,  but  still  a  finite  duration 
away. 

In  this  report  we  introduce  the  framework  and  language  of  temporal  logic  and  demonstrate 
its  appropriateness  for  describing  properties  of  programs. 

We  start  with  an  exposition  of  modal  logic  whose  domain  of  interpretation  is  a  set  of  states 
and  (general)  accessibility  relations  connecting  these  states.  We  then  specialize  to  temporal  logic 
which  requires  that  the  states  form  a  linear  discrete  sequence.  Linear  discrete  sequences  can  be 
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used  to  describe  a  dynamic  process  that  goes  through  changes  at  discrete  instants.  Consequently, 
temporal  logic  is  suitable  for  reasoning  about  such  dynamic  processes  and  their  behavior  in  time. 


Next,  we  present  a  model  of  concurrent  programs.  The  basic  model  is  based  on  several 
concurrent  processes,  each  of  which  is  given  in  the  form  of  a  transition  graph  or  a  linear-text 
program.  Executions  of  concurrent  programs  are  defined  to  be  an  interleaving  of  execution  steps, 
each  taken  from  one  of  the  processes.  We  discuss  the  conditions  under  which  an  interleaved 
execution  faithfully  represents  real  concurrency.  One  of  these  conditions  calls  for  the  interleaving 
to  be  fair  in  that  no  process  is  neglected  for  too  long. 

We  then  show  how  the  language  of  temporal  logic  can  be  further  specialized  to  reason  about 
execution  sequences  of  programs.  In  this  way,  properties  of  programs  which  are  expressible  as 
properties  of  their  execution  sequences  are  readily  formalizable. 

The  rest  of  the  report  overviews  in  a  systematic  manner  the  different  properties  of  interest. 
They  are  classified  into: 

•  Invariance  properties,  stating  that  some  condition  holds  continuously  throughout  the  computa¬ 
tion. 

•  Eventuality  properties,  stating  that  under  some  initial  conditions,  a  certain  event  (such  as  the 
program’s  termination)  must  eventually  be  realized. 

•  Precedence  properties,  stating  that  a  certain  event  always  precedes  another. 

For  each  class  of  properties,  we  present  several  typical  and  useful  properties  together  with 
sample  programs  illustrating  these  properties. 


1.  THE  GENERAL  CONCEPTS  OF  TEMPORAL  LOGIC 


In  the  development  of  logic  as  a  formalization  tool,  we  can  observe  an  increasing  ability 
to  express  change  and  variability.  Propositional  Calculus  was  developed  to  express  constant  or 
absolute  truth,  stating  basic  facts  about  the  universe  of  discourse.  The  propositional  framework 
mainly  deals  with  the  question  of  how  the  truth  of  a  composite  sentence  depends  on  the  truth  of 
its  constituents.  In  Predicate  Calculus  we  deal  with  variable  or  relative  truth  by  distinguishing  the 
statement  (the  predicate)  from  its  arguments.  It  is  understood  that  the  statement  may  be  true 
or  false  according  to  the  particular  individuals  it  is  applied  to.  Thus  wc  may  regard  predicates 
as  parameterized  propositions.  The  Modal  Calculus  adds  another  dimension  of  variability  to  this 
description  by  predicates.  If  we  contemplate  a  major  transition  in  which  not  only  individuals, 
but  also  the  meaning  of  functions  and  predicates  are  changed,  then  the  modal  calculus  provides 
a  special  notation  for  this  major  change.  For  instance,  any  chain  of  reasoning  which  is  valid  on 
Earth  may  become  invalid  on  Mars  because  some  of  the  basic  concepts  naturally  used  on  Earth  may 
assume  completely  different  meanings  (or  become  meaningless)  on  Mars.  Conceptually,  this  calls 
for  a  partition  of  the  universe  of  discourse  into  worlds  of  similar  structure  but  different  contents. 
Variability  within  a  world  is  handled  by  changing  the  arguments  of  predicates,  while  changes 
between  worlds  are  expressed  by  the  special  modal  formalism. 

Consider  for  example  the  statement:  “It  rains  today”.  Obviously,  the  truth  of  such  a  statement 
depends  on  at  least  two  parameters:  The  date  and  the  location  at  which  it  is  stated.  Given  a  specific 
date  t0  and  location  to,  the  specific  statement:  “It  rains  at  l0  on  t0”  has  propositional  character, 
i.e.,  it  is  fully  specified  and  must  either  be  true  or  false.  We  may  also  consider  the  fully  variable 
predicate  rain[l,t):  “It  rains  at  l  on  t"  which  gives  equal  priority  to  both  parameters.  The  modal 
approach  distinguishes  two  levels  of  variability.  In  this  example,  we  may  choose  time  to  be  the 
major  varying  factor,  and  the  universe  to  consist  of  worlds  which  are  days.  Within  each  day  we 
consider  the  predicate  rain(l)  which,  given  the  date,  depends  only  on  the  location.  Alternatively, 
we  can  choose  the  location  to  be  the  major  parameter  and  regard  the  raining  history  of  each 
location  as  a  distinct  world. 

As  is  seen  from  this  example,  the  transition  from  predicate  logic  to  modal  logic  is  not  as  sharp 
as  the  transition  from  propositional  logic  to  predicate  logic.  For  one  thing  it  is  not  absolutely 
essential.  We  could  manage  quite  reasonably  with  our  two  parameter  predicate.  Second,  the 
decision  as  to  which  parameter  is  chosen  to  be  the  major  one  may  seem  arbitrary.  It  is  strongly 
influenced  by  our  intuitive  view  of  the  situation. 

In  spite  of  these  reservations  there  are  some  obvious  advantages  to  the  introduction  and  use  of 
modal  formalisms.  It  allows  us  to  explicitly  make  one  parameter  more  significant  than  all  the  others, 
and  makes  the  dependence  on  that  parameter  implicit.  Nowadays,  when  increasing  attention  is 
being  paid  to  the  clear  correspondence  between  the  syntactical  structure  of  a  program  and  its 
functional  decomposition  (as  is  repeatedly  stressed  by  the  discipline  of  structured  programming),  it 
seems  only  appropriate  to  introduce,  extra  structure  into  the  description  of  varying  situations.  Thus 
a  clear  distinction  is  made  between  variation  within  a  world,  which  we  express  using  predicates  and 
quantifiers,  and  variation  from  one  world  to  another,  which  we  express  using  the  modal  operators. 

Another  way  to  view  the  generalization  offered  by  modal  logic  is  to  claim  that  predicate 
calculus  is  appropriate  for  describing  static  situations.  It  gives  statements  about  basic  objects  and 
their  interrelation.  The  additional  dimension  provided  by  the  modal  logic  is  that  of  dynamic  change 
from  one  situation  into  the  other.  One  of  the  characteristics  of  changes  due  to  time  transitions  is 
the  fact  that  the  same  basic  objects  and  entities  exist  in  each  of  the  static  situations  but  that  their 


4 


attributes  and  interrelations  may  change.  Thus  modal  logic  faithfully  and  conveniently  portrays 
for  us  a  dynamic  situation  consisting  of  a  set  of  static  situations  and  rules  of  change  between  them. 

THE  MODAL  FRAMEWORK 

The  general  modal  framework  ([HC])  considers  a  universe  that  consists  of  many  similar 
states  (or  worlds)  and  a  basic  accessibility  relation  between  the  states,  R(s,  s'),  which  specifies 
the  possibility  of  getting  from  one  state  s  to  another  state  s'. 

Consider  again  the  example  of  rainy  days,  with  time  taken  to  be  the  major  parameter.  There, 
each  state  in  the  universe  is  a  day.  A  possible  accessibility  relation  might  hold  between  two  days 
s  and  s'  if  s'  is  in  the  future  of  s. 

The  main  notational  idea  is  to  avoid  any  explicit  mention  of  either  the  state  parameter  (date  in 
our  example)  or  the  accessibility  relation.  Instead  we  introduce  two  special  operators  that  describe 
properties  of  states  which  arc  accessible  from  a  given  state  in  a  universe. 

The  two  modal  operators  introduced  are  □  (called  the  necessity  operator)  and  O  (called  the 
possibility  operator).  Their  meaning  is  given  by  the  following  rules  of  interpretation  in  which  we 
denote  by  |u>|3  the  truth  value  of  the  formula  w  in  a  state  s: 

|CM.  =  Vs'[7?(s,s')  O  M*,] 

|0  w\s  =  3s'[R(s,  s')  A  M„']  . 

Thus,  Ow  is  true  at  a  state  s  if  the  formula  w  is  true  at  all  states  ft-accessible  from  s.  Similarly, 
Otu  is  true  at  a  state  s  if  w  is  true  in  at  least  one  state  R-accessiblc  from  s.  Usually,  R  is  taken 
to  be  reflexive,  so  that  every  state  is  R-accessible  from  itself  and  thus  R(s,  s)  always  holds. 

A  modal  formula  is  a  formula  constructed  from  proposition  symbols,  predicate  symbols  (in¬ 
cluding  equality),  function  symbols,  individual  constants  and  individual  variables,  the  classical 
operators  and  quantifiers,  and  the  modal  operators.  A  formula  without  any  modal  operators  is 
called  a  static  formula.  A  fully  modal  (dynamic)  formula  is  conveniently  viewed  as  consisting  of 
static  subformulas  to  which  modal  and  classical  operators  are  applied.  The  truth  value  of  a  modal 
formula  at  some  state  of  a  given  universe  is  found  by  a  repeated  use  of  the  rules  above  for  the 
modal  operators  and  evaluation  of  any  static  subformula  on  the  state  itself.  It  is  assumed  that 
every  state  contains  a  full  interpretation  of  all  the  classical  symbols  in  the  formula,  which  fully 
determines  the  truth  value  of  every  static  formula. 

For  example,  the  formula 
rain(i)  D  O  ~rain(l) 

is  interpreted  in  our  model  of  rainy  days  as  stating:  For  a  given  day  and  a  given  location  t,  if  it 
rains  on  that  day  at  t  then  there  exists  another  day  in  the  future  on  which  it  will  not  rain  at  l\ 
thus  any  rain  will  eventually  stop.  Similarly, 

rain(l)  O  CI]rain(/) 

claims  that  if  it  rains  on  that  day  it  will  rain  everafter.  Note  that  any  modal  formula  is  always 
considered  with  respect  to  some  fixed  reference  state,  which  may  be  chosen  arbitrarily.  In  our 
example,  it  has  the  meaning  of  “today”. 


Consider  the  general  formula 
□  ~tu  =  —  O  w. 

As  we  can  see  from  the  definitions  this  claims  that  all  /{-accessible  states  satisfy  — w  if  and  only 
if  there  does  not  exist  an  /{-accessible  state  satisfying  w.  This  formula  is  true  in  any  state  for  any 
universe  with  an  arbitrary  R. 

We  now  give  a  more  precise  definition.  A  universe  U  for  a  modal  formula  w  consists  of 
a  nonempty  domain  D,  a  set  of  states  (or  worlds)  S,  and  a  binary  relation  R  on  5,  called  the 
accessibility  relation.  Each  state  s  provides  a  first-order  interpretation  over  the  domain  D  for 
all  the  proposition  symbols,  predicate  symbols,  function  symbols,  individual  constants,  and  (free) 
individual  variables  in  w.  A  model  ( U ,  sq)  is  a  universe  U  with  one  of  the  states  of  U,  so  6  S, 
designated  as  the  initial  or  reference  state.  In  short, 


{domain  -  D 
set  of  states  -  S 

accessibility  relation  between  states  -  R 

where 

state  =  assignment  to  symbols  of  w  over  D 


We  define  the  truth  value  of  a  modal  formula  w  at  a  state  s  (denoted  by  |u/|5)  in  a  given 
universe  U  inductively: 

1.  If  w  is  static,  i.e.,  contains  no  modal  operators,  then  its  truth  value 
|u»|3  is  found  by  interpreting  w  in  s. 

2.  |Clu>|5  is  Vs'(/?(s, s')  D  |tv|a/J. 

3.  |Ow|s  is  3s'[/?(s,  s')  A  Ms'l- 

4.  |wt  V  is  true  iff  either  |itfi|a  is  true  or  |u/2|s  is  true. 

5.  |~it/|3  is  true  iff  |tv|3  is  false. 

Note  that  by  our  rules  of  interpretation 

•  |0(dto)|,  means  that  is  true  at  some  state  s',  /{-accessible  from  s.  That  is, 

OPtv 

stands  for:  we  can  get  to  a  point  where  w  is  true  everafter;  i.e.,  there  is  a  state  s'  /{-accessible  from 
8  such  that  s'  itself  and  all  of  its  /{-descendants  satisfying  w. 

•  (□(OiuJIj  means  that  |Oiu|,»  is  true  for  all  states  s',  /{-accessible  from  s.  That  is, 

□  Otv 

stands  for:  wherever  we  go  w  is  still  realizable;  i.e.,  for  every  state  s'  accessible  from  s  it  is  possible 
to  find  an  /{-descendant  of  s'  which  satisfies  w. 
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•  |D(tu  3  □  w)\,  means  that  |tu  3  □  tu|,<  is  true  for  all  states  s',  /^-accessible  from  a.  That  is, 
□(to  3  Cltu) 

stands  for:  if  tu  ever  becomes  true  in  some  a'  accessible  from  a,  it  remains  true  for  all  descendants 
of  s'. 

If  a  formula  w  is  true  in  a  state  so  in  a  universe  U  we  say  that  ( U ,  s0)  is  a  (satisfying)  model 
for  that  formula,  or  that  the  formula  is  satisfied  in  ({/,  s0). 

A  formula  to  which  is  true  in  all  states  of  every  universe  is  called  valid-,  that  is,  for  every 
universe  U  of  to  and  for  every  state  s  in  U,  |tuj4  is  true.  For  example,  the  formula 

1  I . — -  xv  ' — '  O  tu 

is  a  valid  formula.  This  formula  establishes  the  connection  between  “necessity"  and  “possibility”. 
Another  valid  formula  is 

□(tuj  3  W2)  3  (Dwi  3  □  103)1 

t.e.,  if  in  all  accessible  states  tut  3  tu 2  holds  and  if  W{  is  true  in  all  accessible  states,  then  u>2  must 
also  be  true  in  all  of  those  states. 

Both  formulas  are  valid  for  any  accessibility  relation.  If  we  agree  to  place  further  general 
restrictions  on  the  relation  /?,  we  obtain  additional  valid  formulas  which  are  true  for  any  model 
with  a  relation  satisfying  these  restrictions.  According  to  the  different  restrictions  we  may  impose 
on  R,  we  obtain  different  modal  systems.  In  our  discussion  we  stipulate  that  It  is  always  reflexive 
and  transitive;  i.e.,  we  consider  a  formula  to  be  valid  ifT  it  is  true  in  all  states  of  every  universe 
with  a  reflexive  and  transitive  accessibility  relation. 

For  example,  the  formula 
□  w  3  w 

is  valid  since  it  is  true  for  every  reflexive  model.  It  claims  for  a  state  s  that  if  all  states  accessible 
from  s  satisfy  w,  then  w  is  satisfied  by  s  itself.  This  is  obvious  since  s  is  accessible  from  itself  (by 
reflexivity). 

The  formula 

O  Oui  3  Ow, 

which  stands  for  (0(0  tu))  3  (Otu),  is  valid  since  it  is  true  for  all  transitive  models.  It  claims  for 
a  state  so:  if  there  exists  an  S2  accessible  from  sj  which  is  accessible  from  so  such  that  S2  satisfies 
tu,  then  there  exists  an  S3  accessible  from  so  which  satisifies  tu.  This  always  holds  in  a  transitive 
model  since  by  transitivity,  S2  is  also  accessible  from  s0  and  we  may  take  S3  =  S2. 

THE  TEMPORAL  FRAMEWORK 

The  framework  of  temporal  logic  is  a  modal  framework  in  which  we  impose  further  restrictions 
on  the  models  of  interpretation  ([PHI],  (RUj).  The  interpretation  given  by  temporal  logic  to  the 


basic  accessibility  relation  is  that  of  the  passage  of  time.  A  world  s'  is  accessible  from  a  world  a 
if  through  development  in  time,  s  can  change  into  s'.  We  concentrate  on  histories  of  development 
which  are  linear  and  discrete.  Thus,  the  models  of  temporal  logic  consist  of  w- sequences,  i.e., 
infinite  sequences  of  the  form  o  =  so,  sj,  ....  In  such  a  sequence,  s}  is  accessible  from  s,  iff  i  < 
j.  Due  to  the  discreteness  of  the  sequences  we  can  refer  not  only  to  states  that  lie  in  the  future 
of  a  given  state,  but  also  to  the  (unique)  immediate  future  state  or  next  state.  This  leads  to  the 
introduction  of  an  additional  operator,  the  next  instant  operator  denoted  by  O. 

Relating  these  concepts  to  the  general  modal  framework,  a  universe  for  temporal  logic  consists 
again  of  a  collection  of  states  (worlds).  On  these  states  we  define  an  immediate  accessibility  relation 
p  which  is  required  to  be  a  function.  That  means  that  every  world  s  has  exactly  one  other  world  s' 
such  that  p(s,  s').  This  corresponds  to  our  intuition  that  in  a  discrete  time  model  each  instant  has 
exactly  one  immediate  successor.  R  =  p* ,  the  transitive  reflexive  closure  of  p,  is  the  accessibility 
relation  discussed  under  the  general  modal  framework  and  is  indeed  both  reflexive  and  transitive. 
Intuitively  R(s,s')  holds  when  s'  is  cither  identical  to  s  or  lies  in  the  future  of  s. 

Given  the  restrictions  imposed  on  R,  the  resulting  model  (t/,so)  can  be  represented  as  an 
infinite  sequence  of  states, 

o  =  s0,  Si,  s2,  ... 

where  p(st,s,+  i)  is  true  for  i  >  0.  This  intuitively  corresponds  to  the  temporal  development  of  a 
process  observed  at  a  sequence  of  discrete  points  in  time. 


******* 


We  will  now  give  a  more  complete  definition  of  the  language  we  are  going  to  use.  Note  that 
this  language  is  designed  specially  for  the  application  we  have  in  mind,  namely  reasoning  about 
programs,  and  is  not  necessarily  the  most  general  temporal  language  possible. 

Symbols.  The  language  uses  a  set  of  basic  symbols  consisting  of  individual  variables  and  constants, 
and  proposition,  function  and  predicate  symbols.  The  set  is  partitioned  into  two  subsets:  global 
and  local  symbols.  The  global  symbols  have  a  uniform  interpretation  over  the  complete  universe 
and  do  not  change  their  value  or  meaning  from  one  state  to  another.  The  local  symbols,  on  the 
other  hand,  may  assume  different  meanings  and  values  in  different  states  of  the  universe.  For  our 
purpose,  the  only  local  symbols  that  interest  us  are  local  individual  variables  and  local  propositions. 
We  will  have  global  symbols  of  all  types. 

Our  symbols  are  further  partitioned  into  different  sorts.  Each  sort  corresponds  to  a  different 
domain,  and  the  interpretation  will  associate  a  domain  with  every  sort.  Corresponding  to  a  sort  we 
may  have  individual  constants  that  are  interpreted  over  the  associated  domain,  individual  variables 
that  assume  values  from  that  domain,  function  symbols  that  represent  functions  over  the  domain, 
and  predicate  symbols  that  represent  predicates  over  the  domain.  The  symbols  used  for  individual 
constants,  functions  and  predicates  will  be  typical  of  the  first-order  theory  of  the  domain  wc  wish 
to  formalise.  For  example,  in  dealing  with  the  theory  of  natural  numbers  we  use  the  conventional 
symbols: 


{0,  1,  ...,  +,  -,  X, 


..,  >,  >,  ...  }. 
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Note  that  some  functions  and  predicates  may  have  a  non- homogenous  signature,  i.e.,  they 
may  have  different  sorts  associated  with  different  argument  positions.  A  typical  example  is  the 
if- then- else  function  which  accepts  one  boolean  argument  and  two  arguments  of  possibly  another 
sort. 

Operators  and  quantifiers.  We  use  the  regular  set  of  boolean  connectives:  A,  V,  3,  =,  and  ~ 
together  with  the  equality  operator  =  and  the  first-order  quantifiers  V  and  3.  This  set  is  referred 
to  as  the  classical  operators.  The  modal  operators  are: 

□,  O,  O  and  U; 

they  are  called  respectively  the  always ,  sometime,  next  and  until  operators.  The  first  three  operators 
are  unary  while  the  U  operator  is  binary. 

The  quantifiers  V  and  3  are  applied  only  to  global  individual  variables. 

Terms.  Terms  are  constructed  from  individual  constants  and  individual  variables  to  which  we 
apply  functions.  The  application  must  conform  with  the  arity  and  sort  signature  restrictions 
associated  with  each  symbol.  An  additional  rule  is  that  if  t  is  a  term  so  is  Ot  -  referred  to  as 
the  next  (value  of)  t.  Note  that  we  use  the  next  operator  O  in  two  different  ways  -  as  a  temporal 
operator  applied  to  formulas  and  as  a  temporal  operator  applied  to  terms. 

Formulas  (sentences).  Formulas  are  constructed  from  atomic  formulas  to  which  we  apply  the 
boolean  connectives,  the  modal  operators  and  quantification  over  global  individual  variables.  Atomic 
formulas  consist  of  propositions  and  predicates  (including  the  *=’  operator)  applied  to  terms  of 
the  appropriate  sorts. 

Recall  that  a  formula  is  said  to  be  classical  (static)  if  it  involves  no  modal  operators. 

We  will  sometimes  regard  propositions  and  (closed)  formulas  as  integer-valued  functions  yield¬ 
ing  1  for  true  and  0  for  false.  These  functions  can  then  be  combined  arithmetically  in  order  to 
provide  a  compact  representation  for  equivalent  but  longer  propositional  formulas.  For  example, 
for  propositions  pi,  . . . ,  pn,  the  statement 

n 

Pl  +  •  •  •  +  Pn  =  1  or  p,  =  1 

t=l 

states  that  exactly  one  of  the  p,’s  is  true.  This  is  of  course  equivalent  to  the  formula 

V  p<  A  A  ~(p» A  p /)• 

1 <»<n  1<»<J <n 


MODELS  (ENVIRONMENTS) 


A  model  (/,  a,  o)  for  our  language  consists  of  an  (global)  interpretation  I,  a  (global)  assignment 
a  and  a  sequence  of  states  o. 

The  interpretation  I  specifies  a  nonempty  domain  D,  corresponding  to  each  sort,  and  assigns 
concrete  elements,  functions  and  predicates  to  the  (global)  individual  constants,  function  and 
predicate  symbols. 
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The  assignment  a  assigns  a  value  over  the  appropriate  domain  to  each  of  the  global  free 
individual  variables. 

The  sequence  a  =  s0,  s i,  . . .  is  an  infinite  sequence  of  states.  Bach  state  st  assigns  values  to 
the  local  free  individual  variables  and  propositions. 

For  a  sequence 

a  =  so.si,  . . . 
we  denote  by 

o(i)  =  sust+l,  ... 
the  t-truncated  suffix  of  a. 

Given  a  temporal  formula  w,  we  present  below  an  inductive  definition  of  the  truth  value  of 
w  in  a  model  [I,  a,  a).  The  value  of  a  subformula  or  term  t  under  (I,  a,  a)  is  denoted  by  t|“  ,  I 
being  implicitly  assumed. 


Consider  first  the  evaluation  of  terms: 

•  For  a  local  individual  variable  or  local  proposition  y: 

y\a  ~  y^o> 

i.e.,  the  value  assigned  to  y  in  So,  the  first  state  of  a. 

•  For  a  global  individual  variable  or  global  proposition  u: 

ulo  =  <*M> 

i.e.,  the  value  assigned  to  u  by  a. 

•  For  an  individual  constant  the  evaluation  is  given  by  I : 

4?  =  W 

•  For  a  fc-ary  function  /: 

i.e.,  the  value  is  given  by  the  application  of  the  interpreted  function  /[/]  to  the  values 
of  1 1,  . . .  ,tk  evaluated  in  the  environment  {I,  a,  a). 

•  For  a  term  t: 


i.e.,  the  value  of  O  t  in  a  =  sq,  si,  ...  is  given  by  the  value  of  t  in  the  shifted  sequence 

ff(1>  =  8l,S2, - 
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Consider  now  the  evaluation  of  sentences: 

For  a  fc-ary  predicate  p  (including  equality): 

p(tu  . tk\?). 

Here  again,  we  evaluate  the  arguments  in  the  environment  and  then  test  7(p]  on  them. 
For  a  disjunction: 

(tui  Vw2)|“  =  true  iff  wy\g  =  true  or  w2|“  =  true. 

For  a  negation: 

(~w)|“  =  true  iff  Ho  —  false. 

For  a  next-time  application: 


Thus  Ow  means:  w  will  be  true  in  the  next  instant  -  read  “next  id"  . 

For  an  all-times  application: 

□Ha  —  true  iff  f°r  every  k  >  0,  =  true, 

i.e.,  id  is  true  for  all  suffix  sequences  of  a.  Thus  Dw  means:  t u  is  true  for  all  future 
instants  (including  the  present)  -  read  “always  id"  or  “henceforth  w". 

For  a  some-time  application: 

Ow\a  ~  true  iff  there  exists  a  k  >  0  such  that  H^(fc)  =  lrue> 

i.e.,  w  is  true  on  at  least  one  suffix  of  a.  Thus  Ow  means:  w  will  be  true  for  some 
future  instant  (possibly  the  present)  -  read  “sometimes  w"  or  “eventually  w”. 

For  an  until  application: 

w\  U  ui2\ %  =  true  iff  for  some  k  >  0,  ia2|°(jt)  =  true  and 

for  all  i,  0  <  i  <  k,  u/i|^(»)  =  true. 

Thus  toi  U  w2  means:  there  is  a  future  instant  in  which  w2  holds,  and  such  that  until 
that  instant  w\  continuously  holds  -  read  “w i  until  iy2”([KAM],  [GPSS]). 

For  a  universal  quantification: 

(Vu.io)|“  =  true  iff  for  every  d  £  D„  Ho  =  true, 

where  a'  =  a  o  [u  «—  d\  is  the  assignment  obtained  from  a  by  assigning  d  to  u.  D,  is 
the  domain  corresponding  to  the  sort  of  u. 


•  For  an  existential  quantification: 


(3u.u>)|“  =  true  iff  for  some  d  €  Dx,  tv\„  =  true, 
where  o/  =  a«|tn-  d\. 

Following  are  some  examples  of  temporal  expressions  and  their  intuitive  interpretations: 

u  D  O  v  —  If  u  is  presently  true,  v  will  eventually  become  true. 

□(u  D  Ov)  —  Whenever  u  becomes  true  it  will  eventually  be  followed  by  t». 

OOtv  —  At  some  future  instant  tv  will  become  permanently  true. 

0(u/  A  O  ~te)  —  There  will  be  a  future  instant  such  that  tv  is  true  at  that  instant  and  false 

at  the  next. 

□  Ote  —  Every  future  instant  is  followed  by  a  later  one  in  which  tv  is  true,  thus  tv  is 

true  infinitely  often. 

□(u  D  □  t>)  —  If  u  ever  becomes  true,  then  v  is  true  at  that  instant  and  ever  after. 

Qu  V  —  Either  u  holds  continuously  or  it  holds  until  an  occurrence  of  v.  This  is  the 

weak  form  of  the  until  operator  that  states  that  u  will  hold  continuously 
until  the  first  occurrence  of  v  if  v  ever  happens  or  indefinitely  otherwise. 

O  v  D  ((~v)  U  u)  —  If  v  ever  happens,  its  first  occurrence  is  preceded  by  (or  coincides  with)  u. 

If  tv  is  true  under  the  model  [I,  a,  a)  we  say  that  [I,  a,  a)  satisfies  tv  or  that  [I,  a,  a)  is  a 
satisfying  model  for  tv.  We  denote  this  by 

( I,a,o )  t=  tv. 

A  formula  tv  is  satisfiable  if  there  exists  a  satisfying  model  for  it. 

A  formula  tv  is  valid  if  it  is  true  in  every  model,  and  we  write 
tv. 

Sometimes  we  are  interested  in  a  restricted  class  of  models  C.  A  formula  tv  which  is  true  for 
every  model  in  C  is  said  to  be  C-valid,  denoted  by 

C¥  tv. 

Example : 

The  formula  0(tvi  A  tvj)  3  (O  tv\  A  O  u/2)  is  valid,  i.e., 

Is  0(u>iAtu2)  3  (OwiAOtu3). 
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It  says  that  if  there  exists  an  instant  in  which  both  wi  and  wj  are  true  then  there  exii  ts  an  inatant 
in  which  u/j  is  true  and  there  exists  an  instant  in  which  wj  is  true. 

The  o-converse  of  this  formula  is  not  valid,  i.e., 
t/  (OtuiAOtoa)  3  O(tuiAwa). 


For,  consider  an  interpretation  in  which  W\  is  true  and  w j  is  false  at  state  si,  and  in  which  W|  is 
false  and  is  true  at  state  S2,  and  sj  is  accessible  from  st  (also  clearly  st  from  st  and  <2  from 
S2) 


:  true  u>,  :  false 

v)2  ■  false  u)2  :  true 


Then  at  state  si: 

Owi  is  true  (since  wi  is  true  at  Si) 

O  W2  is  true  (since  W2  is  true  at  S2) 

O(toj  A  w2)  is  false  (since  Wj  A  w2  is  false  at  Si  and  at  s2)- 
Therefore,  the  formula  is  false  under  this  interpretation.  | 


A  REPERTOIRE  OF  VALID  TEMPORAL  STATEMENTS 


In  this  section  we  present  a  list  of  valid  temporal  statements  (schemata)  which  we  justify  by 
semantic  considerations.  There  are  two  reasons  for  presenting  them  here.  First  we  would  like  to 
illustrate  the  type  of  temporal  reasoning  we  will  later  use.  Second,  the  statements  presented  here 
will  later  be  taken  to  be  established  valid  statements  and  used  freely  in  proofs.  When,  in  a  later 
part  of  this  work,  we  present  a  formal  deductive  system  for  temporal  reasoning,  we  will  take  some 
of  the  valid  statements  listed  here  as  axioms  and  deduce  the  others  as  theorems. 

In  the  following  list,  whenever  we  write  a  valid  temporal  statement  in  form  A  D  B  and  not 
1=  A  =  B,  it  implies  that  its  D-inverse  is  not  valid,  i.e.,  >/  B  D  A.  That  is,  a  model  can  be  found 
under  which  an  instance  of  B  D  A  will  be  false. 


1. 

N 

□  = 

~  O  U) 

2. 

t= 

O  = 

~  □  w 

3. 

t= 

O  ~U)  =. 

~Ow 

These  statements  point  out  the  duality  between  the  operators. 

Statement  1  says  that  w  is  false  in  all  states  (instants)  of  a  sequence  iff  there  is  no  state  in 
which  w  is  true. 


13 


Statement  2  says  that  there  is  a  state  in  which  w  is  false  iff  it  is  not  the  case  that  w  is  true  in 
all  states. 

Statement  3  says  that  w  is  false  in  the  next  state  iff  it  is  not  the  case  that  w  is  true  in  the 
next  state.  This  statement  restricts  each  state  to  have  a  single  successor. 


4. 

*= 

W  D 

Ow 

5. 

N 

□  W 

D 

W 

6. 

N 

Ow 

3 

Ow 

7. 

N 

□  w 

D 

Ow 

8. 

N 

□  w 

D 

0  w 

9. 

N 

Ow 

3 

OOw 

10. 

N 

toi  U 

W2 

3  Ow2 

11. 

OOw 

3  DOte. 

Statement  4  says  that  if  w  is  true  now,  then  it  will  be  true  sometime  in  the  future.  This  is  an 
immediate  consequence  of  the  fact  that  the  present  is  considered  to  be  part  of  the  future. 

Statement  5,  a  dual  of  4,  says  that  if  w  is  true  in  all  future  instants  it  is  also  presently  true. 

Statement  6  says  that  if  w  is  true  at  the  next  instant  it  will  sometime  be  true.  This  is  because 
the  next  instant  is  also  a  part  of  the  future. 

Statement  7,  a  dual  of  6,  says  that  if  w  is  true  in  all  future  instants  it  is  also  true  for  the  next 
instant. 

Statement  8  says  that  if  w  is  always  true  then  it  is  sometimes  true. 

Statement  9  says  that  if  w  is  true  in  all  future  instants  it  is  also  true  for  all  future  instants  of 
the  next  instant,  i.e.,  all  future  instants  excluding  the  present. 

Statement  10  says  that  if  w i  is  true  until  w2  will  happen  then  w2  will  eventually  happen. 

Statement  11  says  that  if  w  is  permanently  true  beyond  a  certain  instant  then  w  is  true 
infinitely  often. 

12.  N  Dw  =  DDiu 

13.  t=  Ow  =  OOw. 

The  statements  12  and  13  say  that  both  □  and  O  are  idempotent.  Intuitively  speaking  both  imply 
that  the  future  is  equivalent  to  the  future  of  the  future.  Note  that  a  corresponding  statement  does 
not  hold  for  O,  since  both  ^OwdOOw  and  Q  O  w  3  O  w. 

=  O  □  w 


14.  f:  DOtt 

15.  OOw 


OOw 


16.  £  ((Ouq)  U  (Oto2))  =  O(toi  U  to2). 


Statements  14  to  16  indicate  the  commutativity  of  the  next  operator  O  with  each  of  the  others.  It 
amounts  to  a  shift  of  our  reference  point  from  the  present  to  the  immediately  next  instant. 

Statement  14  says  that  w  holds  for  the  instant  next  to  every  future  instant  iff  w  holds  for  all 
future  instants,  barring  the  present. 

Statement  15  says  that  w  is  realized  in  an  instant  next  to  some  future  instant  iff  it  is  realized 
sometimes  in  the  future,  excluding  the  present. 

Statement  16  says  that  Otui  holds  until  an  instance  of  Ou>2  iff  wy  holds  until  w 2  starting 
from  the  next  instant. 


17. 

0(wyAw2)  = 

(nwy  a  nw2) 

18. 

h 

O(ioj  v  w2)  = 

(O  Wy  V  0  W2) 

19. 

1= 

0(uq  A  UJ2)  = 

[OWy  A  Oui2) 

20. 

>= 

0(wy  V  UJ2)  = 

{Owy  V  Ow2) 

21. 

i= 

0(w ,  D  u>2)  ^ 

(O  Wy  D  OW2) 

22. 

0(Wy  =  W2)  = 

(O  Wy  =  0  W2) 

23. 

1= 

((wi  A  W2)  U  w3) 

=  ((wi  U  w3)  A  [w2  U  u/3)) 

24. 

t= 

(wy  U  [w2  V  W3)) 

=  ((lOl  U  W2 )  V  (wy  u  w3)). 

Statements  17  to  24  indicate  distributivity  relations  between  the  temporal  operators  and  the  boolean 
connectives. 

The  □  operator  has  a  universal  character  -  stating  w  for  all  future  instants,  and  the  O  operator 
has  an  existential  character  -  stating  w  for  some  future  instant.  Consequently  □  distributes  with 
A  (17)  stating  that  both  toi  and  w>2  hold  in  every  future  instant  iff  Wy  holds  for  all  future  instants 
and  so  does  102-  The  O  operator  distributes  with  V  (18)  stating  that  there  will  be  an  instant  in 
which  either  wy  or  W2  hold  iff  there  either  will  be  an  instant  in  which  wy  holds  or  there  will  be  an 
instant  in  which  W2  holds. 

The  O  operator  has  both  universal  and  existential  character  because  it  refers  to  a  unique 
instant  -  the  next  one.  Therefore  it  distributes  with  both  A  and  V,  as  is  shown  by  statements  19 
and  20. 

Since  the  O  operator  has  been  shown  to  distribute  with  the  basic  boolean  connectives 
A,  V,  it  will  also  distribute  over  any  other  boolean  connective  such  as  D  and  =.  For  example, 
Statement  21  says  that  if  in  the  next  instant  Wy  implies  trig  and  wy  is  known  to  hold  at  the  next 
instant  then  so  docs  W2. 

The  until  operator  has  a  different  character  with  respect  to  its  two  arguments.  It  is  universal 
with  respect  to  its  first  argument  which  appears  in  the  semantic  definition  under  a  Vi(0  <  »  <  k) 
quantification.  It  is  existential  with  respect  to  its  second  argument  which  appears  in  the  semantic 
definition  under  a  3fc(fc  >  0)  quantification. 
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Statement  23  says  that  Wi  and  w2  both  hold  until  an  instance  of  w3  iff  wi  holds  until  an 
instance  of  u>3  and  w2  holds  until  an  instance  of  tu3.  To  justify  the  implication  from  right  to  left, 
we  are  guaranteed  of  having  a  t\  such  that  w3  is  true  at  tt  and  wt  holds  until  then,  and  a  t2  such 
that  w3  is  true  at  t2  and  w3  holds  until  then.  By  considering  the  earliest  of  these  two  instants 
t  =  min(t\,t2)  we  know  that  w3  is  true  at  t  and  both  Wi  and  w2  hold  until  then. 

Statement  24  says  that  w%  holds  until  an  instance  of  either  w2  or  w3  iff  either  u/i  holds  until 
an  instance  of  w2  or  w i  holds  until  an  instance  of  w3. 

25.  1=  (OiyiVDwa)  3  Q(wi  V  «ij) 

26.  *=  O(toi  A  w2)  3  (O  tuj  A  Ow2) 

27.  ((tvi  U  w3)  V  (ti»a  U  iu3))  3  (ioi  V  W2)  U  w3 

28.  N  (u>i  U  ( W2  A  tu3))  D  (( wi  U  w2)  A  (t"i  U  w3)). 

Statements  25  to  28  indicate  implications  that  hold  when  we  interchange  the  order  between 
temporal  operators  and  the  boolean  connectives.  They  are  not  equivalences  and  only  the  direction 
of  the  given  implication  is  true. 

Statement  25  says  that  if  either  iut  is  true  for  all  future  instants  or  w2  is  true  for  all  future 
instants  then  in  every  future  instant  either  Wi  or  w2  holds. 

Statement  26  says  that  if  there  exists  an  instant  in  which  both  w  1  and  w2  are  true  then  there 
exists  an  instant  in  which  w\  is  true  and  there  exists  an  instant  in  which  w2  is  true. 

Statement  27  says  that  if  either  wx  holds  until  w3  or  w2  holds  until  w3  then  there  is  an  instance 
of  w3  such  that  until  then  either  Wi  or  w2  holds. 

Statement  28  says  that  if  holds  until  an  instant  t  in  which  both  w2  and  w3  are  true  then 
both  Wi  holds  until  t u2  at  t  and  w\  holds  until  w3  at  t  implying  the  conjunction. 

29.  N  Q(uq  o  w2)  3  (□u/tDEUu/j) 

30.  t=  D(wi  3  w2)  D  (O  ioi  3  O IU2) 

31.  1=  n(ioi  3  u>2)  3  (Owi  3  Ow2) 

32.  N  □(wi  3  w2)  3  ((iu!  U  w3)  3  ( w2  U  w3j) 

33.  N  0(10!  3  w2)  3  ((w0  U  Wi)  3  (u/0  U  w2)). 

Statements  29  to  33  indicate  the  monotonicity  of  each  of  the  temporal  operators;  that  is,  if 
its  application  to  a  formula  wi  is  true  and  Wi  universally  implies  (for  all  instants)  then  its 
application  to  w2  is  also  true. 

This  property  is  stated  respectively  for  □  in  29,  O  in  30,  O  in  31  and  the  two  positions  of  U 
in  32  and  33. 

34.  N  (□ty1AOt02)  3  0{tuiAu>a) 

35.  N  (DiViAOiya)  3  0{u>iAw2) 
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36.  *  (□  u»i  A  (w2  U  to3))  D  (tt»i  A  u/2)  U  (wy  A  u/3). 

Statements  34  to  36  are  frame  rules.  They  say  that  if  uiy  is  known  to  hold  for  all  states  then  Wy 
may  be  added  as  a  conjunct  under  any  other  temporal  operator.  ThiB  is  respectively  stated  for  O 
in  34,  for  O  in  35  and  for  both  argument  positions  of  U  in  36. 

37.  1=  (w  A  □{«>  D  Oin))  :  □  w 

38.  N  (u>AO~tu)  D  0(iuAO~4 

39.  1=  (Owi  AO102)  3  [0(u)|  AO1U2)  V  0(u>2  A  O  ty  1 )] . 

Statements  37  and  38  are  induction  rules  and  Statement  39  describes  the  linearity  property. 

Statement  37  (corresponding  to  computational  induction)  says  that  if  the  fact  that  w  holds  at 
any  instant  implies  that  it  also  holds  at  the  next  instant,  and  w  holds  in  the  present,  then  w  holds 
at  all  future  instants. 

Statement  38  (corresponding  to  the  least  number  principle)  is  the  dual  of  37.  It  says  that  if  w 
is  true  now  and  is  false  sometime  in  the  future,  then  there  exists  some  instant  such  that  w  is  true 
at  that  instant  and  false  at  the  next. 

Statement  39  says  that  if  w\  and  w2  are  both  guaranteed  to  happen,  then  either  w\  will 
happen  first,  followed  by  w2  or  w 2  will  happen  first,  followed  by  wy. 

40.  N  Dio  =  (to  A  OlUto) 

41.  1=  O  w  =  (uVOOw) 

42.  \=  WyU  w2  =  xv2  V  ( Wy  A  0(u>i  U  w2 )) 

Statements  40  to  42  explain  the  □,  O,  and  U  operators  respectively  by  distributing  their  effect 

into  what  is  implied  for  the  present  and  what  is  implied  for  the  next  instant. 

Statement  40  says  that  w  is  true  for  all  future  instants  iff  w  is  true  for  the  present  and  for  all 
instants  lying  in  the  future  of  the  next  instant. 

Statement  41  says  that  w  is  true  in  some  future  instance  iff  it  is  either  true  now  or  true  at  an 
instant  not  earlier  than  the  next. 

Statement  42  says  that  'wy  until  w2  is  presently  true  iff  e ither  w2  is  true  now  or  toi  holds 
now  and  ‘tui  until  w2  is  true  for  the  next  instant. 


43.  N  (~t olLui)  =  Ow 

44.  N  (DiuiAOit^)  D  [wyUw2) 

45.  1=  ((u>i  D  w2)  U  w3)  D  ((iui  U  w3)  3  (u>2  U  w3)) 

46.  £  ((wy  U  w2)  A  (~u>2  M  w3))  3  (wyUw3) 

47.  N  (wy  U  {w2  A  w3))  3  ((wyUw2)Uw3) 


48. 


((tui  U  tv2)  U  u>3 )  D  ((uq  V  wj)  U  w3) 

49.  £  (OwiAOwj)  d  ((~wi  U  w2)  V  (~w2  U  Wt)). 

This  list  of  statements  illustrates  some  properties  of  the  until  operator. 

Statement  43  says  that  w  is  guaranteed  to  happen  iff  there  is  an  instant  in  which  w  is  true 
and  until  this  instant  tv  is  false.  This  states  that  w  happens  iff  there  is  an  earliest  occurence  of  w. 

Statement  44  says  that  if  w2  is  guaranteed  to  happen  and  u/j  is  constantly  true,  then  it  will 
be  true  until  a  guaranteed  occurence  of  w2. 

Statement  45  says  that  if  wi  implies  w2  until  w3  happens  and  ttq  is  true  until  an  instance 
of  u/3  (not  necessarily  the  same  instance)  then  w2  will  hold  until  an  instance  of  u/3  (which  can  be 
taken  as  the  earlier  of  the  two). 

Statement  46  says  that  if  W\  holds  until  w2  and  w2  is  false  until  w3  then  Wi  is  true  until  w3. 
To  justify  this  let  (a)  10 1  U  w2  and  (b)  ~io2  U  tv3  be  the  two  clauses  given  as  premises.  By  (b)  we 
know  that  w3  will  happen  say  at  t3  and  w2  will  be  false  until  then.  By  (a)  w2  must  happen,  say  at 
t2  and  u/i  must  be  true  until  then.  By  (b)  t2  >  t3  so  that  uq  must  certainly  be  true  until  t3,  an 
instance  of  w3. 

Statement  47  can  be  justified  as  follows.  The  premise  guarantees  an  instant  t2  such  that  w2 
and  io3  are  both  true  at  t2  and  wi  is  true  until  then.  Clearly,  taking  any  0  <  ti  <  t2  we  know 
that  tv2  will  be  true  at  t2  and  wi  is  true  for  every  t,  <  t  <  t2,  thus  u>i  U  ui2  at  ty.  Since  ivt  U  w2 
is  true  for  every  1 1,  0  <  ty  <  t2,  and  w3  is  true  at  t2,  wx  U  w2  is  true  until  w3. 

Statement  48  says  that  if  wlUiv2  is  continuously  true  until  an  instance  of  w3  then  so  is  wyVw2. 

Statement  49  says  that  if  both  Wj  and  w2  are  guaranteed  to  happen  then  one  of  them  will 
happen  “first”;  that  is,  cither  w2  happens  first  and  Wi  is  false  until  then,  or  ioj  happens  first  and 
w2  is  false  until  then.  (In  both  cases  we  allow  the  possibility  that  both  Wx  and  w2  occur  for  the 
first  time  at  the  same  instant.) 


50. 

0  3xw  =  3x  O  tv 

51. 

N 

OVxw  =  VxDw 

52. 

f= 

OBxw  =  3xOw 

53. 

¥ 

O  Vxty  =  VxOw 

54. 

1= 

((Vxwi)  U  w2 )  =  Vx(u>  1  U  w2) 

provided  x  is  not  free  in  w2 

55. 

h 

( wt  U  (3xw2))  =  3x(u;!  U  w2) 

provided  x  is  not  free  in  w\ 

Statements  50  to  55  indicate  the  commutativity  relations  between  the  temporal  operators  and  the 
quantifiers.  They  follow  from  our  restriction  that  the  quantifiers  V  and  3  are  to  be  applied  only  to 
global  individual  variables.  Statements  50  and  51  are  known  as  Barcan's  formulas. 

Statement  50  demonstrates  once  more  the  existential  character  of  the  operator  O.  It  says  that 
in  some  instant  there  exists  an  x  satisfying  w(x)  iff  there  exists  an  x  such  that  at  some  instant 
w(x)  is  satisfied. 
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Statement  51  demonstrates  the  universal  character  of  the  □  operator.  It  says  that  w  is  true 
in  all  instants  for  all  values  of  x  iff  it  is  true  for  all  values  of  x  for  every  instant. 

Statements  52  and  53  demonstrate  the  dual  character  of  the  O  operator,  which  is  both 
universal  and  existential. 

Statements  54  and  55  demonstrate  that  the  until  operator  has  a  universal  character  with 
respect  to  its  first  argument  and  an  existential  character  with  respect  to  its  second  argument. 

The  preceeding  statements  were  all  of  the  form 
*=  w 

and  they  stated  formulas  which  are  true  in  every  model.  The  next  list  of  statements  contains 
inferences  of  the  form 

1=  Wi  =3  t=  Wj. 

They  state  that  if  toi  has  been  shown  to  be  a  valid  statement  then  so  is  t02.  The  inference 
statements  enable  us  to  deduce  the  validity  of  one  formula  from  the  other.  For  every  valid  formula 
^  toi  3  102  there  is  a  corresponding  inference  N  toi  =>  i=  102,  and  this  is  a  standard  way  of  justifying 
an  inference.  However,  there  are  inferences  1=  wy  =*  E  102  such  that  1=  toi  3  to2  is  not  a  valid 
statement  (see,  for  example,  the  following  inference  56). 


56. 

1=  10 

=>  1=  □  to 

O-insertion 

57. 

1=  to 

=>  1=  <>  to 

O-insertion 

58. 

1=  w 

=»  O  to 

O-insertion 

Inference  56  states  that  if  10  is  valid  then  so  is  Dio.  The  fact  that  w  is  valid  means  that  it  is  true 
for  every  sequence  and  therefore  for  all  suffixes  of  a  given  sequence.  Thus  □  w  is  true  for  every 
sequence  o  and  is  therefore  a  valid  statement. 

Inference  57  may  be  deduced  by  inferring  first  N  Dio  and  then  using  the  valid  statement 
1=  □  to  3  0 10  (number  8  in  our  list)  to  infer  N  Ow. 

Inference  58  may  be  deduced  similarly  by  using  Statement  7,  N  3  Oio. 


59. 

1=  toi  3  t02 

=>  k  Ou»i  3  OW2 

□  □  -insertion 

60. 

1=  Wl  3  102 

1=  <0>tOj  3  0  102 

0  O  -insertion 

61. 

\r  tOl  3  t02 

=>  t=  OlOi  3  Ot02 

O  O  -insertion 

These  inferences  are  all  obtained  by  infering  first  1=  D(toi  3  W2)  by  Inference  56  and  then  using 
statements  29  to  31,  respectively. 

62.  ^  Wl  ^  1  =>  N  3  Oi03  □-concafenaffon 

1=  io2  3  □  to3  J 

63.  ^  3  =»  1=  toi  3  Owj  O-concatenation 

N  to2  3  Oto3J 
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Inference  62  is  obtained  by  first  deriving  ^  □  w?  D  □□tu3  by  Inference  59,  observing  that 
□  □u>3  =  □  w3,  and  then  using  propositional  reasoning.  Inference  63  is  obtained  similarly  by 
applying  Inference  60.  Note  that  the  corresponding  O-concatenation  inference  does  not  hold. 


64. 

N  tei  D  tu2  I 
1=  U>2  ID  □  U/3 
b  W3  D  u>4  ) 

1  =»  N  tei  D  Ot04 

D-consequence 

65. 

t  W 1  D  U>2  1 

W/2  D  0  t//3 
W3  D  UJ4  J 

|  =4  b  Wi  D  0  W4 

<>- consequence 

66. 

N  tt>l  D  lt/2  I 
£  U>2  3  O  W3 
t=  U»3  3  W4  J 

|  =4  N=  W\  D  O  W4 

O-consequence 

Inference  64 

is  obtained  by  deriving  first  b  0103  D  C]u>4 

by  □  D-introduction  (59) 

then  applying  propositional  reasoning.  Similarly,  inferences  65  and  66  are  obtained  by  deriving 
OW3  D  OW4  and  1=  O  iy3  ID  O  u/4  by  60  and  61,  respectively. 
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2.  CONCURRENT  PROGRAMS  AND  THEIR  EXECUTION 


In  the  following  we  introduce  the  model  of  concurrent  programs  that  we  will  study  here.  (For 
simpler  models  see  [KEL]  and  [LAMl].) 

V  ■=  /<>(*) 


In  our  model,  a  concurrent  program 

P  :=/»(*);  [Pl||...||Pm| 

consists  of  an  initial  value  assignment  y  :=  fo(z)  followed  by  the  parallel  execution  of  m,  m  >  1, 
processes  Plf  Pm.  The  processes  operate  on  a  set  of  program  variables  y  =  (yi, 

which  are  shared  between  the  processes.  The  variables  y  are  accessible  to  all  the  processes  for 
both  referencing  and  modifying.  Each  process  Pt,  i  =  1,  . . . ,  m,  is  an  independent  transition 

graph  with  nodes  (locations)  labeled  by  £<,,  l\,  ... ,  l\.  The  sets  of  labels  L,  =  {^j, . £1} 

of  the  different  processes  are  disjoint.  The  edges  (or  transitions)  in  each  process  are  labeled  by 
instructions  of  the  form: 

/'■'7N  Ca^  f V  ;= 


where  ca{y)  is  a  condition  called  the  enabling  condition  of  the  transition  a,  and  fa  is  the  transfor¬ 
mation  associated  with  the  transition  a.  If  ca(fj)  is  true  we  say  that  the  transition  a  is  enabled  for 
y  =  y- 


For  a  given  node  l  with  k  outgoing  transitions 


ci(y)  -*■  [y  :=  A(y)] 


cfc(y)  -*•  [y  :=  /k(y)| 


we  define  Ei(y)  =  Ci(y) V  . . .  V  Ck{y)  to  be  the  full-exit  condition  at  node  l.  We  do  not  require  that 
the  individual  conditions  are  exhaustive,  i.e.,  that  Et(y)  =  true  for  every  y;  thus,  deadlocks  (or 
blockings)  are  allowed  in  our  semantics.  Nor  do  we  require  the  conditions  to  be  exclusive;  thus,  each 
process  can  be  nondetcrniinistic.  A  location  whose  individual  conditions  are  mutually  exclusive  is 
called  a  deterministic  location.  If  Ei(rj )  is  true,  i.e.  at  least  one  of  the  a,,  i  =  1,  . . . ,  k,  transitions 
originating  from  l  is  enabled,  we  say  that  the  location  t  is  enabled  for  y  —  rj.  If  a  process  P}  is 
currently  at  l  £  Lj  which  is  enabled,  we  say  that  the  process  is  enabled. 

The  set  of  program  variables  y  =  (yt,  , . .  ,  y„)  is  accessible  and  shared  by  all  the  processes. 
This  model  of  concurrent  programs  is  therefore  called  the  shared-variables  model.  In  this  model, 
communication  and  synchronization  between  processes  are  managed  via  the  shared  variables. 

The  initial  assignment  y  :=  /0(x)  assigns  initial  values  to  the  shared  program  variables  prior 
to  the  beginning  of  the  concurrent  execution.  The  parameters  x  =  (xj,  ...,xt)  that  appear  in 
this  initial  assignment,  as  well  as  other  parameters  appearing  in  the  bodies  of  the  processes,  are 
the  input  parameters  of  the  program.  The  behavior  of  the  program  naturally  depends  on  the  input 
parameters. 

We  will  often  represent  a  process  in  a  linear-text  form  instead  of  a  graph.  In  such  a  case  the 
nodes  are  the  places  (labels)  just  before  each  statement,  and  the  transitions  are  the  statements 
themselves. 

We  list  below  the  types  of  statements  that  we  allow  in  the  linear-text  form  and  their  repre¬ 
sentation  in  the  graph  model: 

►  l  ••  V  ■=  f(V) 

l' : 


is  represented  as 


true  -*  [y  :=  /(y)] 


►  l:  if  p(y)  then  go  to  m 
l': 

is  represented  as 


p{y)  [ ) 


►  t-  if  p(y)  then  y  :=  f(y) 
t' : 

is  represented  as 


p(y)  -liy  ■-  /(y)J 


p(y)-  U 
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►  l:  loop  until  p(y) 

V: 

This  statement  loops  until  the  condition  p(y)  becomes  true.  It  is  represented  as 

_ p(v)  -» 1 ) 

— p(w)  —  (1 


►  /  :  loop  while  p(y) 

This  statement  is  the  complement  of  the  above  statement:  it  loops  until  condition  p(y)  is  false.  It 
is  represented  as 


p(y) 


- <7) 


►  t:  compute  u\,  ...,ur  using  v\,  . . .  ,v„ 
£': 


This  statement  represents  a  segment  of  terminating  computation  in  whose  details  wc  are  not 
interested.  The  only  facts  we  assume  about  this  segment  are: 

1.  The  segment  may  modify  only  the  program  variables  u\ ,  . . . ,  ur,  r  >  0, 

and  may  reference  only  the  program  variables  v\,  . . . ,  vs,  s  >  0. 

2.  The  segment  must  eventually  terminate. 


The  statement  is  represented  as 


true  -*  [(ui,  ...,ur)  f(v l,  •••,^5)] 


where  /  represents  an  unspecified  function. 

We  will  often  use  compute  segments  of  the  form 


t :  compute 

t: 


for  the  case  r  =  s  =  0  to  refer  to  a  segment  of  terminating  computation  that  does  not  modify  or 
access  any  program  variables. 


►  l:  execute  Ui,  ...  ,uT  using  vit  ...  ,vs 
£'  : 


This  statement  represents  an  arbitrary  program  segment  that  may  modify  only  the  program 
variables  u\,  . . . ,  uT,  r  >  0,  and  may  reference  only  v\,  . . . ,  vs,  s  >  0.  Here  we  do  not  require 
that  the  segment  must  eventually  terminate.  Consequently  its  representation  is  given  by: 


true  —*  [  j 


true  ((ui,  .  -  •  ,ur)  :=  f(vu  .  .  .,vs)\,- 


►  £e  :  halt 
is  represented  as: 


i.c.,  a  node  with  no  exits. 

Note  that  for  all  the  statements  considered  so  far,  except  for  the  halt  statement,  the  full-exit 
condition  is  always  identically  true.  Also  all  the  instructions  (and  their  corresponding  locations), 
except  for  the  execute  u t,  . . . ,  ur  instruction,  arc  deterministic,  i.c.,  they  have  mutually  exclusive 
transitions. 

Example: 

Consider  the  following  concurrent  program  for  computing  the  binomial  coefficient  (£)  for 
integers  n  and  k,  such  that  0  <  k  <  n: 

Program  DC  (Binomial  Coefficient): 


V i  :=  n,  y2  :=  0, 

2/3  := 

1 

£0  : 

if  2/1  =  (n  —  A:)  then  go  to  £e 

m0  : 

if  y2  —  k  then  go  to  m, 

h  : 

ys  ■=  J/3  •  yi 

m\  : 

V2  2/2  +  1 

£ 2  : 

2/1  :=  2/1  —  1 

m2  : 

loop  until  2/14-2/2^^ 

^3  : 

go  to  £o 

m3  : 

V3  “  ys/y* 

£<: 

halt 

7714  : 

go  to  mg 

me  : 

halt 

—  Process  Pi  —  —  Process  Pi  — 

The  input  parameters  to  this  program  arc  n  and  k.  Note  that  n  appears  in  the  initial 
assignment  while  both  n  and  k  appear  in  statements  of  the  processes. 

We  have  not  yet  discussed  the  execution  of  concurrent  programs  in  our  model.  Assume  for 
a  moment  that  each  instruction  in  this  program  is  atomic  and  that  at  any  instant  only  one  such 
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atomic  instruction  is  executed.  Once  it  is  completed,  another  instruction  (from  cither  process)  is 
executed  to  its  completion,  and  so  on.  Under  this  assumption,  the  program  BCq  computes  the 
binomial  c~  'ITicient 


fn\  _  n ■  (n 

W  ” ' 


1-2 


[n  —  k  +  1) 
•  •  k 


The  values  of  j/t,  t.e.,  n,  n  —  1,  . . . ,  n  —  k  +  l,  arc  used  to  compute  the  numerator  in  Pt  (the 
last  value  of  y,  n  —  k,  is  not  used),  and  the  values  of  y2,  t.e.,  1,2,  .  . .  ,  k,  are  used  to  compute  the 

denominator  (the  first  value  of  y2,  0,  is  not  used).  The  process  P i  multiplies  n-(n— 1) . (n— fc+1) 

into  j/3  while  Pi  divides  2/3  by  1  ■  2 . k. 

The  instruction 

7712  :  l°°P  until  2/1  -|-  2/2  <  n 

guarantees  even  divisibility.  It  synchronizes  P2’s  operation  with  that  of  P\  to  ensure  that  2/3  is 
divided  by  i  only  after  it  has  been  multiplied  by  n  —  i  -f-  1 .  We  rely  here  on  the  mathematical 

theorem  that  the  product  of  i  consecutive  positive  integers:  k  ■  (k  -J-  1) . (k  i  —  1)  is  always 

divisible  by  t!. 

Now,  consider  the  intermediate  expression  at  tti2: 


__  n  -[n  —  1)  •  ■ 

—  '  nr 


[n  —  j+  1) 

rr-  ir  ’ 


where  1  <  i  <  j  <  n,  2/1  =  n  —  j  and  y2  —  *•  The  numerator  consists  of  the  product  of  j 
consecutive  positive  integers  and  is  therefore  divisible  by  i  since  i  <  j  .  If  j  —  i,  we  have  to  wait 
until  2/1  is  decremented  by  the  instruction  in  t2  from  n— -i-f  1  to  n  —  i  before  we  can  be  absolutely 
sure  that  (n  —  i  1)  has  been  multiplied  into  y3.  Thus,  process  P2  waits  at  m2  until  2/1  +1/2  drops 
to  a  value  less  than  or  equal  to  n.  | 

In  order  to  keep  track  of  the  progress  of  the  execution  in  each  process  wc  use  a  vector  of 
location  variables  W  =  {7Tj ,  . .  .  ,7r„j}  where  each  7r,  ranges  over  the  label  set  l,x  of  process  P,. 

y  ■=  /o(z) 


/J  ( 


^ . ^7 


The  location  variable  nx  points  to  the  location  in  Px  which  is  to  be  executed  next. 


CONCURRENCY  AND  ITS  MODELLING  BY  INTERLEAVING 


Before  defining  the  execution  of  concurrent  programs  in  our  model,  we  should  first  study  in 
more  detail  the  actual  behavior  of  a  physically  concurrent  system. 

As  our  motivating  real-life  situation  we  consider  a  system  consisting  of  m  physically  separate 
processors  II i ,  ...  ,IIm.  Each  of  the  processors  II,  is  responsible  for  executing  the  process  program 
Px.  The  shared  program  variables  y(,  . . .  ,  yn  reside  in  a  common  memory  M  to  which  each  of 
the  processors  must  gain  access  in  order  to  retrieve  or  store  a  value  of  a  shared  variable.  In 
addition,  each  of  the  processors  has  its  own  set  of  private  variables  (registers).  These  arc  used 
to  hold  intermediate  results  of  the  computation  or  values  which  arc  not  needed  by  the  other 
processes.  We  will  refer  to  these  private  registers  as  to,  f  i ,  ....  We  assume  that  the  shared  memory, 
M,  is  hardware  protected  to  allow  only  one  processor  to  access  a  shared  variable  at  a  certain 
instant.  While  the  access  is  taking  place,  the  particular  variable  accessed  is  unavailable  to  all  other 
processors.  Each  access  is  restricted  to  a  single  operation,  a  value  retrieval  or  a  value  update,  but 
not  both. 

Consider  for  example  the  joint  operation  of  two  processors  IT t  and  n2  which  arc  executing  the 
following  concurrent  program: 

Elementary  Program  EP 

y  :=  0 


*a: 

1 1  •—  y 

to0  : 

t2  :=  y 

h  : 

ti  :=  i i  —  1 

mi  : 

t2  :=  t2  +  1 

l2  : 

y  :=  fi 

m2  : 

y t2 

halt 

me  : 

halt 

-Pi- 

-Pa 

— 

Each  processor  II,  has  its  private  register  t,,  i  =  1,2.  This  program  has  been  carefully  constructed 
so  that  it  uses  only  three  standardized  types  of  elementary  instructions: 

a.  A  shared  retrieval  (reference),  transferring  the  current  value  of  a  shared  variable 
into  a  private  register: 

1 1  :=  y  and  t2  :=  y. 

b.  A  shared  update  ( modification ),  storing  the  value  of  a  private  register  into  a  shared 
variable: 


y  ti  and  y  :=  t2. 

c.  An  internal  computation  of  the  form  f,  :=  /(£)  assigning  to  one  register  of  a 
processor  a  value  which  is  a  function  of  the  registers  t  of  the  same  processor: 

fi  :=  1 1  —  I  and  £2  t2  ~t”  1. 
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We  also  frequently  use  a  fourth  type  of  elementary  instruction: 

d.  An  internal  teat  of  the  form 
if  p(t)  then  go  to  lt 

where  t  are  registers  of  the  same  processor. 

With  the  execution  of  the  instructions  of  types  a  and  b  we  can  associate  a  unique  event  which 
is  the  actual  access  to  the  shared  memory  Af.  We  refer  to  these  events  as  shared  access  events. 
For  the  simple  program  presented  above  we  can  associate  the  events  r„  i  =  1,2,  with  the  retrieval 
of  the  value  of  the  shared  y  at  the  instruction  in  locations  Iq  and  m o  respectively.  Similarly,  we 
associate  the  events  ulti  —  1,2,  with  the  updating  of  the  shared  variable  y  at  the  instructions  t2 
and  m2  respectively.  No  access  event  is  associated  with  internal  computations  such  as  those  at  ti 
and  mi. 

Since  in  our  example  all  four  accesses  refer  to  the  same  variable  y,  no  two  of  them  can  occur 
exactly  at  the  same  time  because  of  the  exclusivity  mechanism  provided  by  the  memory  unit  Af. 
Thus  in  any  possible  concurrent  execution  of  this  program  we  will  observe  a  linear  sequence  of  the 
occurrences  of  these  four  events.  The  only  possible  sequences  are: 


»T,  «i»  u2 

leading  to  a  final  value  of 

y  =  0 

r2,  u2,  ru  u. 

leading  to  a  final  value  of 

y  =  0 

»T,  r2,  u  1,  u2 

leading  to  a  final  value  of 

y  =  1 

r\,  r2,  u2,  ux 

leading  to  a  final  value  of 

y  =  —  1 

r-i,  ru  t»i,  U2 

leading  to  a  final  value  of 

y  =  1 

r2,  rt,  u2,  Ui 

leading  to  a  final  value  of 

y  =  —  1. 

For  this  program,  the  sequence  of  access  events  uniquely  determines  the  final  state  of  the  computa¬ 
tion. 

While  the  access  events  themselves  are  constrained  by  the  memory  protection  mechanism  to 
form  a  linear  sequence  in  which  no  two  events  coincide,  the  execution  of  the  non-accessing  part 
of  the  instructions  will  generally  overlap  in  time.  In  fact,  many  different  executions  which  greatly 
differ  in  the  timing  and  overlaps  of  their  non-accessing  parts  and  instructions  correspond  to  the 
same  linear  timing  sequence  of  the  accessing  events,  and  hence  yield  the  same  final  state.  This 
proliferation  of  executions  which  all  yield  the  same  result  and  display  essentially  the  same  behavior 
makes  the  analysis  of  concurrent  executions  unnecessarily  complicated. 

Consequently,  in  order  to  reduce  the  complexity  of  analysis  we  use  a  simplified  model  in  which 
the  executions  are  restricted  to  be  interleaved.  An  interleaved  execution  is  one  in  which  at  any 
instant  only  one  processor  is  executing  an  elementary  instruction  to  its  completion.  Once  the 
elementary  instruction  is  completed,  another  processor  may  initiate  an  elementary  instruction  and 
proceed  to  complete  it.  Under  this  model,  the  execution  proceeds  as  a  sequence  of  discrete  steps. 
In  each  step  one  enabled  transition  (instruction)  is  selected  in  one  of  the  processes  and  is  executed 
to  completion. 

The  selection  of  the  next  process  to  be  executed  is  personified  by  a  scheduler  who  performs  the 
selection.  At  each  step  of  the  computation  the  scheduler  selects  one  process  which  has  an  enabled 


transition  and  lets  that  process  execute  one  instruction  (transition).  For  the  sake  of  completeness 
we  also  allow  the  scheduler  to  arbitrarily  insert  an  idling  step  in  which  no  process  is  scheduled,  no 
instruction  is  performed,  and  the  values  of  all  program  and  location  variables  remain  the  same.  In 
the  case  that  no  enabled  transition  is  available,  an  idling  step  is  the  only  choice  that  the  scheduler 
has  thereafter.  In  such  a  case  we  say  that  the  program  is  deadlocked.  A  special  case  of  this  situation 
is  when  the  program  has  terminated,  i.e.,  all  the  processes  have  terminated. 

When  first  encountered  the  model  of  interleaved  execution  may  appear  to  be  artificial  and 
counterintuitive.  In  fact  it  seems  to  defeat  the  whole  idea  of  concurrency  -  concurrent  (overlapping) 
execution  of  instructions  in  different  processes.  Therefore  we  emphasize  that  the  interleaving  model 
is  only  a  mathematical  device  for  simplifying  the  analysis  which  proves  to  be  adequate  for  the  kind 
of  non-quantitative  analysis  we  consider  here.  That  is,  as  long  as  we  are  not  interested  in  questions 
about  the  timing  of  instructions  and  the  running  time  of  a  program  and  make  no  assumptions  about 
the  relative  speeds  of  the  processors,  the  model  of  interleaved  executions  faithfully  represents  all 
the  possible  behaviors  of  the  program. 

We  use  the  following  definitions: 

•  An  access  to  a  variable  in  an  instruction  of  a  process  F,  is  defined  to  be  critical  if  it  is  either 

a  modification  of  a  variable  which  is  accessed  by  other  processes  or  an  access  to  a  variable 
which  is  modifiable  by  other  processes. 

•  An  instruction  is  said  to  obey  the  single  (critical)  access  rule  if  it  contains  at  most  one  critical 

access. 

We  can  then  state  the  following  result: 

Proposition  (single  (critical)  access):  Interleaved  executions  of  a  program  P,  all  of  whose  instruc¬ 
tions  obey  the  single  (critical)  access  rule,  faithfully  represent  all  concurrent  executions  of 
F. 

Thus,  it  is  possible  to  represent  by  interleaving  all  possible  situations  arising  under  concurrency. 
Since  this  approach  greatly  simplifies  the  analysis,  we  will  adopt  this  it  in  our  treatment  of 
concurrent  programs. 

One  necessary  exception  to  the  single  access  rule  is  semaphores. 


SEMAPHORES 


Semaphores  are  devices  for  achieving  synchronization  in  concurrent  systems  ([DIJ1]).  They  are 
special  atomic  instructions  denoted  by  request(y)  (also  known  as  P(y)),  and  releasc(y)  (also  known 
as  F(y)),  operating  on  the  semaphore  variable  y. 

The  request  instruction 

►  l :  request(y) 
t': 

is  equivalent  to  the  single  transition 
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G> 


y  >  0  -♦  [y  :=  v  -  1) 


The  release  instruction 

►  l :  release(y) 
l !»: 

is  equivalent  to  the  transition 


(y  :=  y  +  1| 


Semaphores  are  considered  atomic  (primitive)  even  under  concurrent  execution.  Therefore 
when  programs  are  transformed  to  single  access  form,  the  semaphore  instructions  should  be 
preserved  as  atomic  and  not  broken  up  into  single  access  instructions.  No  other  operations  can  be 
performed  on  semaphore  variables. 

Usually  the  semaphore  variable  y  is  initialized  to  1.  A  process  reaching  a  request[y)  instruction 
will  proceed  beyond  it  only  if  y  >  0,  and  then  it  will  decrement  y  by  1,  setting  it  to  0.  Thus  a 
location  containing  a  request[y)  instruction  can  be  used  as  a  checkpoint,  synchronizing  the  process 
with  other  processes  containing  request(y)  and  releasc(y)  instructions  operating  on  the  same  y. 

Consider  a  concurrent  program  of  form 


y  =  1 


ll  :  request(y) 

l2  :  request(y) 

/*  :  request(y) 

m1  :  release(y) 

m2  :  release{y) 

mk  :  release[y) 

-Pi- 

-P2- 

•  •  • 

-Pk- 

Assume,  for  example,  that  Pi  arrived  first  at  ll  when  y  was  1.  It  then  went  beyond  and  set  y  to 
0.  As  long  as  Pi  is  between  l1  and  m1,  y  will  remain  0,  and  any  other  process,  say  P2,  which  will 
attempt  to  go  beyond  its  request  statement  t2  will  be  held  there  since  the  enabling  condition  y  >  0 
is  false.  It  must  wait  there  for  y  to  turn  positive,  which  can  only  be  caused  by  Pi  performing  the 
release(y)  operation  at  m1.  Even  if  Pi  and  P2  reach  0  and  l2  simultaneously,  the  atomicity  of 
the  request  instruction  (which  is  required  for  exactly  this  reason)  ensures  that  only  one  process  can 
gain  access  to  its  region  lying  between  l  and  m.  This  region  is  called  a  critical  section,  and  our  use 
of  semaphores  in  this  example  ensures  mutual  exclusion  of  access  to  the  critical  sections;  that  is, 
at  most  one  of  the  processes  may  execute  its  critical  section  at  any  instant.  Semaphores  may  also 
be  used  for  a  variety  of  other  signalling  and  synchronization  tasks. 
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Mutual  exclusion  of  critical  sections  is  necessary  whenever  two  or  more  processes  need  to  access 
a  shared  variable  or  device  (such  as  disk)  and  wish  to  be  protected  from  interference  or  attempts 
by  the  other  processes  to  access  the  same  resource  while  doing  so. 

Example: 

Consider  once  more  Program  BCq  (Binomial  Coefficient).  In  order  to  recast  it  in  the  single 
access  form  we  notice  that  the  variable  1/3  is  the  critically  shared  variable.  Hence,  we  have  to  break 
the  instruction 

it  •  1/3  :==  S/3  •  2/t 

into  the  sequence 

ii  :  ty.=  y3yy 

*1  :  V3  :=  <1 

Note  that  y y  is  modified  only  by  Pi;  hence  its  access  at  t\  is  non-critical. 

Similarly  we  have  to  break  the  instruction 
m3  :  J/3  :=  2/3/2/ 3 

into 

m3  :  h  y3/y2 

m'3  :  t/3  :=  t2. 

Note  that  both  the  assignments  i/i  :=  1/1  —  1,  y2  :=  J/2  +  1  and  the  test  yi  +  S/2  <  n  already 
satisfy  the  single  access  rule. 

The  problem  now  is  that  of  interference  between  the  two  new  processes.  Consider  for  example 
an  execution  which  includes  the  sequence: 

*i>  m3i  "13- 

Following  this  execution  we  find  that  while  the  instruction  at  l\  stores  a  certain  value  into  y3,  it 
is  immediately  overwritten  by  the  value  stored  into  it  by  the  instruction  at  m'3.  Thus  the  value  of 
the  computation  performed  in  iy  is  completely  lost  and  the  result  is  of  course  invalid.  To  prevent 
such  a  mishap  we  must  protect  each  of  the  sequences  (ty.t'y)  and  (m3,  m3)  from  interference  by  the 
other.  The  protection  is  done  by  using  a  semaphore  variable  y4;  the  modified  programs  appears 
below: 

Program  BC  ( modified  Binomial  Coefficient): 

2/1  :=  n,  y2  :=  0,  y3  :=  1,  y4  :=  1 

4)  :  i/yi  =  (n  —  fc)  then  go  to  le 
ty  :  request[y4) 


is  ■■  2/i  :=  yi  —  1 
is  :  go  to  l0 
it  :  halt 


ii  :  ti  :=  ])3  ‘  2/1 

t3  :  y3  ty 
l4  :  release(y4) 


m0  :  ify3  =  k  then  go  to  me 

mi  :  y2  :=  y2  +  1 

m2  :  loop  until  yy  +  2/2  <  n 

m3  :  request[y4) 

m4  :  t2  :=  y3/y2 

ms  :  y3  :=  t2 

ms  :  release[y4) 

m;  :  go  to  mn 


The  mutually  protected  critical  sections  are  (t2,t3,  l*)  and  (m4,m5,m8)  respectively.  Their 
exclusion  ensures  that  each  computed  value  of  2/3  is  assigned  to  2/3  without  any  interference.  Under 
interleaved  executions,  BC  computes  the  binomial  coefficient  and  is  in  single  reference  form.  | 

Example: 

Consider  the  following  program  CP  modelling  a  consumer-producer  situation: 

Program  CP  ( Consumer  Producer)  : 

b  :=  A,  s  :=  1,  cf  :=  0,  ce  :=  N 

mo  :  reque8t(cf) 

m  1  :  request(s) 

|  m2  :  ya  :=  head(b) 
m3  :  <2  :=  tail(b) 

jm4  :  b:=t2 

mj  :  rclease(s) 

r:..j  :  release(ce) 

TO7  :  compute  using  y2 

m8  :  go  to  m0 

—  Pi  :  Producer  —  —  P2  :  Consumer  — 

The  program  is  in  single  access  form.  The  producer  P 1  computes  a  value  into  2/1  without  using 
any  other  program  variables;  the  computation  details  are  irrelevant.  It  then  adds  7/1  to  the  end 
of  the  buffer  b.  The  consumer  P2  removes  the  first  element  of  the  buffer  into  2/2  and  then  uses 
this  value  for  its  own  purposes  (at  m7).  It  is  assumed  that  the  maximal  capacity  of  the  buffer  b  is 
N  >  0.  The  ‘compute  using  y2  instruction  references  y2  but  does  not  modify  any  of  the  shared 
program  variables. 

In  order  to  ensure  the  correct  synchronization  between  the  processes  we  use  three  semaphore 
variables: 

•  The  variable  s  ensures  that  the  accesses  to  the  buffer  are  protected  and  provides  exclusion 

between  the  sections  (£3,  l\,  Is)  and  (m2,  m3,  m^,  m3). 

•  The  variable  ce  (“count  of  empties”)  counts  the  number  of  free  available  slots  in  the  buffer 

b.  It  protects  the  buffer  b  from  overflowing.  The  producer  cannot  deposit  a  value  in 
the  buffer  if  ce  —  0,  and  when  it  docs  deposit  a  value,  it  decrements  ce  by  1.  Since 
we  start  with  ce  —  N,  the  producer  cannot  deposit  more  than  N  items  before  the 
consumer  has  removed  any  of  them.  The  consumer,  on  the  other  hand,  increments  ce 
by  1  whenever  it  removes  an  item  and  creates  a  new  vacancy. 

•  The  variable  cf  ("count  of  fulls”)  counts  how  many  items  the  buffer  currently  holds. 

It  is  initialized  to  0,  incremented  by  the  producer  whenever  a  new  item  is  deposited, 
and  decremented  by  the  consumer  whenever  an  item  is  removed.  It  ensures  that  the 
consumer  does  not  attempt  to  remove  an  item  from  an  empty  buffer.  | 


to  :  compute  3/1 
t\  :  request(ce) 
t2  :  request(s) 
l3:  t1:=6oy, 

l*  :  b  ti 
Is  :  release(s) 
to  :  release(cf) 
l7  :  go  to  l0 
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FAIRNESS 


Another  problem  with  modelling  concurrency  by  interleaving  is  fairness.  Consider  first  a  pro¬ 
gram  with  no  semaphore  instructions,  and  where  the  full-exit  condition  Et(y)  at  each  nonterminal 
location  £  (i.e.,  £  ^  £e)  is  identically  true,  i.e.,  Et(y)  =  true  for  every  y.  Note  that  the  latter  is 
true  for  every  linear-text  program  without  semaphores.  Under  these  restrictions  every  process  that 
has  not  yet  terminated  is  enabled,  i.e.,  it  always  has  an  enabled  transition,  and  if  selected  by  the 
scheduler  can  always  execute  this  transition.  Running  under  true  concurrency,  every  process  will 
go  on  executing  until  it  reaches  its  termination  label  £e. 

In  order  to  model  the  same  property  under  interleaving  execution  we  require  the  scheduler  to 
be  fair.  By  that  we  mean  that  no  process  which  is  ready  to  run  (i.e.,  enabled)  will  be  neglected 
forever.  Stated  more  precisely,  we  exclude  infinite  executions  in  which  a  certain  process  which 
has  not  terminated  is  never  scheduled  from  a  certain  point  on.  Note  that  all  finite  terminating 
sequences  are  necessarily  fair.  This  will  also  prevent  the  scheduler  from  going  on  an  infinite  spree 
of  idling  steps  when  at  least  one  process  is  enabled. 

Coming  back  to  the  more  general  situation  which  allows  semaphore  instructions,  we  have  to 
consider  the  possibility  that  a  nonterminated  process  is  not  continuously  enabled.  Furthermore, 
its  being  enabled  may  depend  on  the  action  of  the  other  processes,  since  in  general  the  full-exit 
condition  Et{y )  depends  on  the  shared  variables  y. 

Our  requirement  of  fairness  for  this  more  general  case  will  be  formulated  as: 

We  disallow  infinite  sequences  in  which  a  certain  process  is  enabled  infinitely 
often  and  is  scheduled  only  a  finite  number  of  times. 

Example : 

Consider  the  simplest  case  of  two  processes  synchronized  by  a  semaphore: 

y  :=  1 


£0  :  requcst{y) 

mo  :  request[y) 

£\  :  release[y) 

m  1  :  release[y) 

£2  :  go  to  £0 

m2  ■  go  to  mo 

-Pi  - 

-P2  ~ 

Obviously  the  infinite  execution  sequence  (where  we  only  mention  the  label  arrived  at  as  a  result 
of  the  current  transition) 

£i,  £ 2 1  £o,  w*i,  m2,  mo,  £\,  £2,  £0,  mu  m2,  mo,  ... 
is  fair.  On  the  other  hand  the  sequence: 


t\,  £2,  £0,  £1,  £7,  £0,  ••• 

while  constantly  tt2  =  mo  is  unfair.  This  is  because  whenever  7r 2  =  £0  or  iri  =  £2,  P2  is  enabled. 
Thus  in  this  sequence,  even  though  P2  is  not  continuously  enabled  (it  is  not  enabled  when  7ri  =  £1), 
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it  is  enabled  infinitely  often.  Since  P2  is  never  scheduled  while  being  enabled  infinitely  often  this 
sequence  is  unfair. 


In  practice  every  scheduler  which  is  fair  satisfies  a  stronger  requirement:  it  is  fair  within  a 
finite  bound,  i.e.,  no  enabled  process  may  be  neglected  for  more  than  k  instants  of  being  enabled. 
Here  k  is  a  constant,  characteristic  of  the  scheduler. 

Generalizing  the  semaphore  instruction  request(y)  which  waits  for  y  to  turn  positive  and  then 
decrements  it,  we  have  the  ‘wait  until  p(y)'  and  'wait  while  p(y)’  instructions.  They  are  modelled 
as  follows: 


►  l :  wait  until  p(y) 
l1: 


is  represented  by 


and 


►  l :  wait  while  p(y) 

e  : 


is  represented  by 


The  wail  instructions  arc  similar  to  the  request  instruction  in  that  the  full-exit  condition  is 
not  identically  true.  Thus  for  the  ‘  wait  until  p(y)'  instruction,  the  full-exit,  condition  Et[y)  is  equal 
to  p(y).  Consequently  fairness  considerations  ensure  that  if  p[y)  turns  true  infinitely  often  while  a 
process  is  waiting  at  t  it  will  eventually  be  scheduled  (exactly  when  p[y)  is  true)  and  proceed  to  £’. 

Let  us  compare  the  ‘wait  until  p[y)’  instruction  with  the  'loop  until  p(y)’  instruction  whose 
graph  representation  is 


~p(y) 


p(y)  -  [  ] 


Note  that  the  full-exit  condition  for  this  instruction  is  Ei  —  tnie.  Thus  even  if  p(y)  turns 
true  infinitely  often  we  arc  not  assured  of  ultimately  reaching  t1.  This  is  so  because  the  only 
requirement  implied  by  fair  scheduling  is  that  if  Ef  is  infinitely  often  true  the  process  waiting  at  t 
must  eventually  be  scheduled  at  an  instant  in  which  Et  is  true.  However  this  instant  may  always 
happen  to  be  one  in  which  p[y)  =  false  and  the  instruction  executed  is  a  transition  back  to  /. 

The  only  condition  that  will  guarantee  for  a  loop  instruction  the  eventual  exit  to  f  is  that  p(y) 
becomes  permanently  true  beyond  a  certain  stage  in  the  computation. 

There  arc  practical  implications  to  the  distinction  between  the  wait  and  loop  instructions.  If  we 
wish  to  implement  an  actual  fair  interleaving  scheduler,  it  is  easier  to  be  fair  to  the  loop  instruction 
than  to  the  wait  instruction.  Since  for  the  loop  instruction,  Et  is  identically  true,  in  order  to  be  fair 
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to  a  process  which  is  at  l,  the  scheduler  just  has  to  make  sure  it  does  not  neglect  it  and  eventually 
comes  around  to  scheduling  it.  In  order  to  be  fair  to  a  wait  instruction,  whose  full-exit  condition 
is  p(y),  we  have  to  monitor  the  instants  in  which  p(y)  is  true.  Then  when  it  is  observed  that  p(y) 
is  true  many  times  the  relevant  process  has  to  be  eventually  scheduled. 

On  the  other  hand,  the  use  of  a  wait  instruction  implies  greater  efficiency  since  the  scheduler 
may  place  the  process  executing  a  wait  instruction  on  a  suspension  list,  from  which  it  will  be 
removed  only  when  p(y)  is  true  and  the  scheduler  decides  to  schedule  that  process. 
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3.  THE  TEMPORAL  DESCRIPTION  OF  PROGRAM  PROPERTIES 


As  we  have  seen,  the  behavior  of  a  concurrent  program  is  characterized  by  the  set  of  its  fair 
execution  sequences.  We  have  also  developed  the  formalism  of  temporal  logic  whose  formulas  are 
interpreted  over  sequences.  We  now  combine  the  two  and  utilize  temporal  logic  to  state  properties 
of  the  execution  sequences  of  a  given  program,  thus  describing  properties  of  the  dynamic  behavior 
of  the  program  ([PNU1],  [MP]). 

In  order  to  apply  the  general  temporal  formalism  to  execution  sequences,  it  is  necessary  to 
introduce  additional  structure  and  special  notation  into  the  temporal  language.  For  states  we  will 
consider  “execution  states”  which  each  consist  of  the  vector  of  current  locations  in  the  program  and 
of  the  current  values  of  all  program  variables  at  a  certain  stage  in  the  execution.  The  accessibility 
relation  between  execution  states  will  represent  “derivability”  by  the  program’s  execution.  We  will 
use  predicates  and  propositions  to  describe  properties  of  a  single  state,  and  modalities  to  describe 
properties  of  the  execution  leading  from  one  state  to  another. 

Consider  a  typical  concurrent  program 

p  =  y:=/o(i);  [Pil|...||Pm| 

with  input  parameters  x  =  [xu  . . .  ,Xk )  and  shared  program  variables  y  =  (y i,  . . .  ,yn)  over  a 
domain  D.  (For  simplicity,  we  do  not  consider  many-sorted  domains.) 

An  execution  state  for  this  program  has  the  general  structure 

where 

•  X  =  (X i ,  ...,Xm)  is  the  vector  of  current  values  held  by  the  location  variables  W.  Thus 

\i  €  L,  is  the  label  of  the  node  in  the  transition  graph  of  process  Pt  where  execution  is 
to  resume  next.  (It  is  the  label  of  the  next  instruction  to  be  executed  in  the  linear-text, 
representation.) 

•  ff  =r  (jjj,  . . . ,  rin)  £  Dn  is  the  vector  of  data  values  assumed  by  the  program  variables  y  in 

the  state  s.  Thus  77,  £  D  is  the  current  value  of  y,  in  s. 

An  execution  sequence  of  a  concurrent  program  is  an  infinite  sequence  of  states: 

a  —  sq,  Si,  S2,  .... 


Corresponding  to  the  structure  of  execution  states  and  sequences  we  will  consider  temporal 
formulas  with  the  following  individual  variables: 

(a)  Local  program  variables:  3/1,  •••»!/»»• 

These  represent  the  current  values  of  the  program  variables  which  of  course  may 
vary  from  one  execution  state  to  the  other. 

(b)  Local  location  variables :  ici,  . . . ,  nm. 


These  represent  the  location  of  each  process  in  a  given  state.  Each  7r,  will  range 
over  the  set  L,. 

(c)  Global  variables:  x\,  . . . ,  Xk,  u  1,  U2,  .... 

These  are  the  input  parameters  Xi,  . . . ,  x k,  and  auxiliary  variables  Uj,  U2,  •  •  • 
which  stay  constant  over  the  complete  execution,  t.e.,  they  do  not  vary  from  state 
to  state.  The  auxiliary  variables  are  used  to  express  relations  between  local  values 
in  different  states.  For  example: 

Vu[(t/  =  u)  D  0(y  —  u  1)J 

expresses  the  statement  that  there  will  be  a  future  instant  in  which  the  value  of 
the  variable  y  will  be  greater  by  1  than  its  current  value. 

For  a  label  i  G  Ly,  we  abbreviate  the  atomic  formula  TT]  =  l  to  atl,  i.e., 
all  is  true  iff  tTj  =  l, 

which  may  therefore  be  considered  a  local  proposition.  Thus,  for  a  given  state  s  =  (  X  ;  rj )  and 
location  l  G  att  is  true  at  s  if  the  process  P}  is  currently  at  l ,  i.e.,  \}  —  £. 

More  generally,  for  a  set  of  labels  L  C  L}  the  local  proposition  atL  is  defined  to  be  true  if  P} 
is  anywhere  within  L,  i.e., 

atL  is  true  iff  7 ry  G  4. 


If  L  consists  of  all  the  labels  l,  within  a  segment,  i.e.,  L  =  {£a,£a+i>  •  •  •  ,4}  for  some  0  < 
a  <  b,  we  will  also  write  atL  as  at£a  ^-  Thus, 

&l£a..b  — :  dt{£a .  .  .  ,4}  —  Vt=o 

We  proceed  to  give  a  precise  definition  for  the  set  of  legal  execution  sequences  0 ,  corresponding 
to  a  given  program  P  with  input  values  x  —  £.  There  are  three  requirements  which  a  legal 
execution  sequence  ought  to  fulfill: 

A.  Initialization 

An  execution  sequence 

o  =  s0,  Si,  82  ... 

is  properly  initialized  if  so  =  ( X 0 ;  Wo)  has  the  structure: 

•  X0  =  {£q,  . . .  ,^o*),  the  set  of  initial  locations  in  each  of  the  processes; 

•  tJq  —  /(£),  the  initial  values  assumed  by  the  program  variables  on  initialization. 

B.  State  to  state  transitions 

An  execution  sequence  o  is  admissible  if  each  s*.|_i  =  {  X* ;  rj' )  is  related  to  s*  =  (  X  ;  fj )  by 
one  of  the  following  rules: 
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(b)  An  i-step: 
transition 


For  some  t,  1  <  i 


<  m,  we  have  the  following:  The  process  Pt  contains  a 


\y  f{y)\ 


such  that  7r,  =  X,,  c(rj)  —  true  (i.e.,  the  transition  is  enabled)  and  rj'  =  f(rj).  For  all 
j,j  ^  i,  we  have  X'  =  X;. 


Note  that  in  the  presence  of  self  loops,  i.e., 


we  cannot  always  uniquely  decide  whether  an  idling  step  or  a  trivial  i-step  led  from  state  s *  to 
state  sjt-fi. 

C.  Fairness  or  Justice 

•  An  admissible  sequence  o  is  just  if  there  is  no  process  l\  which  is  continuously  enabled  beyond 

a  certain  state  s  in  the  sequence  a ,  and  only  a  finite  number  of  steps  of  o  are  i-steps. 

Thus  the  notion  of  justice  ensures  that  no  process  is  indefinitely  neglected.  This  notion  is  adequate 
for  programs  with  no  semaphore  instructions. 

•  An  admissible  sequence  o  is  fair  if  there  is  no  process  P,  which  is  enabled  an  infinite  number 

of  times  in  a,  and  only  a  finite  number  of  steps  of  a  arc  i- steps. 

Note  that  a  fair  sequence  is  also  a  just  sequence.  In  addition  to  the  assurances  given  by 
justice,  fairness  guarantees  that  no  process  will  remain  blocked  at  a  semaphore  instruction  whose 
exit  condition  turns  true  infinitely  often.  For  programs  without  semaphore  instructions  the  notions 
of  fairness  and  justice  coincide.  Consequently,  our  treatment  will  concentrate  on  fair  executions. 

Note  that  in  checking  for  fairness  we  are  allowed  to  take  a  given  step  both  as  an  i-step  and  as 
a  j-step  if  both  interpretations  are  possible.  Thus  the  following  degenerate  program 


fo  :  go  to  to  mo  '■  go  to  mo 

possesses  the  legal  execution  sequence 

()),  ((£o,mo);()},  ••• 

Each  step  here  may  be  interpreted  as  an  idling  step,  a  l-step  or  a  2-step.  Because  of  this  possible 
multiple  interpretation  the  sequence  is  indeed  fair.  * 

Consider  the  sequence  corresponding  to  a  terminating  computation,  i.e.,  all  processes  have 
terminated.  Since  in  a  terminating  state  7r,  =  t\  the  process  P,  is  never  enabled,  the  fairness 
criterion  docs  not  require  further  scheduling  of  P,,  and  the  only  possible  steps  from  that  point  on 
are  idling  steps.  Thus  our  representation  of  a  terminating  computation  as  an  infinite  sequence  in 
which  from  a  certain  point  on  all  states  are  identical  is  consistent  with  fairness.  This  state,  to 
which  the  sequence  has  “converged,”  is  the  terminal  state. 


•  Every  suffix  of  a  properly  ^-initialized,  admissible,  fair  execution  sequence  is  defined  to  be  a 

(P,^)- computation.  The  set  of  all  (P,  ^-computations  is  denoted  by  7(P,  £).  Uy  definition, 
this  set  is  suffix  closed,  t.e.,  if  o  £  7(P,  £)  ,  then  £  7(P,  £)  for  every  t  >  0. 

For  a  given  program  P  let  <p(x)  be  a  restriction  (precondition)  on  the  input  parameters  x. 
Usually  ip  characterizes  the  inputs  we  expect  the  program  to  operate  on. 

•  A  computation  is  said  to  be  a  [P,p)- computation  ( proper  computation)  if  it  is  a  (P,  £)- 

computation  for  some  £  such  that  tp(£)  is  true. 

•  We  define  the  set  7(P,<p)  to  be  the  set  of  all  (P,  ^-computations.  Obviously  7(P,  y?)  also 

has  the  suffix  closure  property. 

•  A  formula  w  is  7 (P,ip)-valid  if  it  is  true  for  every  computation  in  7(P,<p).  Such  a  formula 

is  obviously  an  established  valid  property  of  all  (P,  (p)-computations.  In  the  following 
sections  we  study  the  expression  of  program  properties  as  7{P,p)-v alid  formulas. 

Since  most  of  our  reasoning  will  be  done  in  the  context  of  a  fixed  program  P  and  a  fixed 
precondition  ip,  we  introduce  a  special  notation  for  7{P,<p)  validity.  We  denote 

7(P,  <p)  t=  w  by  N  w. 

The  statement  N  w  thus  means  that  w  is  true  for  every  suffix  of  a  fair,  admissible  execution  of  P 
which  is  initiated  at  i0  =  {£l0,  . . .  ,££*)  with  tp(x)  holding  and  y  ~  /0(x). 

Facts  of  the  form  M  w  will  serve  as  the  basic  statements  in  our  specification  and  description 
of  program  properties.  Consequently,  we  will  discuss  in  later  reports  proof  rules  for  deriving  such 
statements. 

The  following  is  an  important  derivation: 
t=  w  =*  £  w. 

It  states  that  if  w  is  true  for  every  possible  sequence  it  is  true  in  particular  for  every  (P,<p)- 
computation.  This  enables  us  to  transport  all  the  generally  known  valid  temporal  statements 
(l= -valid)  into  reasoning  about  a  particular  program  (N -valid).  Thus  the  following  are  £ -valid 
formulas: 


N  □  ~io  =  ~  O  w 

□(i«i  3  w2 )  3  (Dzui  3  CI1U2) 

IH(w  3  O  w)  3  (u/  3  □  w) 

etc. 

Another  valid  inference  is 
N  w  =>  E  dui 

This  rule  states  that  if  w  is  true  for  all  the  (P,  ^-computations  then  □  w  is  also  true  for  them.  This 
rule  is  a  direct  consequence  of  the  suffix  closure  property  of  7 (P,<p)-  One  can  prove  similarly  that 
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all  the  inference  rules  (numbers  56  to  66)  proven  in  the  earlier  repertoire  still  hold  after  replacing 
1=  by  * . 

We  will  now  review  the  expression  of  program  properties  by  temporal  formulas.  The  properties 
will  be  classified  according  to  the  form  of  the  temporal  formulas  expressing  them. 


INVARIANCE  (SAFETY)  PROPERTIES 


Consider  first  the  class  of  program  properties  that  hold  continuously  throughout  all  computa¬ 
tions.  They  are  expressible  by  formulas  of  the  form: 

N  □  xv. 


Such  a  formula  states  that  Dtu  holds  for  every  computation,  i.e.,  w  is  an  invariant  of  every 
computation.  By  the  generalization  rule  this  could  have  been  written  as  to,  but  we  prefer  the 
above  form  since  it  emphasizes  the  invariant  character  of  the  properties  in  this  class. 

Note  that  the  initial  condition  associated  with  the  proper  computation  is: 
at l0  A  y  =  fo(x)  A  <p(x) 

which  characterizes  the  initial  state  for  inputs  x  satisfying  the  precondition  ip(x).  Here,  l0  ~ 
(£q,  . . . ,  l™)  is  the  set  of  initial  locations  in  each  of  the  processes.  To  emphasize  the  precondition 
p(x)  we  sometimes  express  £  Clio  as 

£  ip{x)  3  □  to. 

A  formula  of  this  form  therefore  expresses  an  invariance  property.  The  properties  in  this  class 
are  also  known  as  safety  properties,  based  on  the  premise  that  they  ensure  that  “nothing  bad  will 
ever  happen”  ([LAM1]). 

More  generally,  invariance  properties  can  be  expressed  by  formulas  of  the  form 
N  wQ  3  Dio. 

This  form  may  be  used  to  state  that  a  certain  event  implies  the  invariance  of  some  other  condition 
from  that  moment  on.  Under  this  interpretation  too  is  the  triggering  event  whose  occurrence  causes 
the  subsequent  invariance  of  the  property  io. 

We  give  below  a  sample  of  important  properties  falling  under  this  category. 


a.  Partial  Correctness 

This  property  is  meaningful  only  for  programs  in  which  each  process  contains  a  terminal 
location  Lt.  We  call  such  programs  terminating  programs,  in  contrast  with  continuous  (or  cyclic 
programs)  whose  proper  behavior  docs  not  call  for  termination  and  therefore  do  not  contain  terminal 
locations. 
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Let  <p(x)  be  the  precondition  that  restricts  the  set  of  inputs  for  which  the  program  is  supposed 
to  be  correct,  and  ip(x,  y)  the  statement  of  its  correctness,  i.e.,  the  relation  that  should  hold  between 
the  input  values  x  and  the  output  values  y.  Then  in  order  to  state  partial  correctness  with  respect 
to  a  specification  (<p,  ip)  we  can  write: 

►  <p{x)  3  n(atFe  D  i>(x,y)), 

where  lt  =  (/*,  . . .  ,1 “)  is  the  vector  of  terminal  locations  in  each  of  the  processes.  This  formula 
claims  that  if  the  initial  state  satisfies  the  precondition,  then  in  any  state  accessible  from  it:  If 
that  state  happens  to  be  an  exit  state,  i.e.  X  =  tt,  then  the  relation  ip('x,y)  holds  between  the 
input  parameters  x  and  the  current  values  of  y.  Thus  this  formula  states  that  all  convergent  <p- 
computations  terminate  in  a  state  satisfying  ip,  but  it  does  not  guarantee  termination  itself.  Note 
that  we  rely  on  x  being  global  and  retaining  its  original  value  throughout  the  computation. 


Example: 

Let  us  consider  as  a  concrete  example,  a  single  process  program  for  computing  x!  over  the 
nonnegative  integers. 

Program  F  (Factorial  Program): 

V\  :=  x,  V2  :=  1 

10  :  if  l/i=0  then  goto  lt 
t\'-  (yi,V2)  ■—  (yi  —  1.2/1  Vi) 

11  :  goto  l0 
£e  :  halt. 

The  statement  of  its  partial  correctness  is 
N  (x  >  0)  D  n{atic  3  1/2  =  x!), 

where  the  initial  condition  associated  with  the  proper  computation  is  actually 

af4  A  1/i  =  i  A  1/2  =  1  A  x  >  0. 


We  are  justified  in  regarding  partial  correctness  as  an  invariance  property  since  it  is  actually 
a  part  of  a  “network  of  invariants”  normally  used  in  the  Invariant-Assertion  Method;  namely,  for 
the  Program  F  above: 


M  (x  >  0)  3 


□  {  [attq 
A  [atii 
A  \att2 
A  \atlt 


3  (y i  >  0)  A  (1/2  •  I/i!  =  *0] 

(l/i  >  0)  A  (y2  ■  yi?  =  *01 

^  (yi  >  0)  A(y2  •  yi!  =  x!)j 

(yi  =  o)  a  (y2  =  x!)] }. 


And  in  fact,  in  order  to  prove  the  partial  correctness  property,  we  usually  prove  the  invariance  of 
this  larger  formula,  from  which  partial  correctness  follows.  | 


Example: 
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As  another  example  consider  a  program  TN  counting  the  number  of  nodes  in  a  binary  tree  X. 


Program  TN  (Counting  the  nodes  of  a  tree): 

S  :=  PO,  C  :=  0 

to  :  if  S  =  ( )  then  goto  lt 
ti  :  (T,S):=(hd(S),tl(S)) 
to  :  if  T  =  A  then  goto  to 
l3  :  C  :=  C  -f  1 
lA  :  S  :=  t(T)  ■  r(T)  ■  S 
I5  :  goto  l0 
te  :  halt. 

The  program  operates  on  a  tree  variable  T  and  a  variable  5  which  is  a  stack  of  trees.  The  input 
variable  X  is  a  tree.  The  output  is  the  value  of  the  counter  C.  Each  node  in  a  tree  may  have  zero, 
one  or  two  descendants. 

The  available  operations  on  trees  are  the  functions  t(T)  and  r(T)  which  yield  the  left  and  right 
subtrees  of  a  tree  T  respectively.  If  the  tree  does  not  possess  one  of  these  subtrees  the  functions 
return  the  value  A. 

The  stack  S  is  initialized  to  contain  the  tree  X.  Taking  the  head  and  tail  of  a  stack  (functions 
hd  and  tl  respectively)  yields  the  top  element  and  rest  of  the  stack  respectively.  The  operation  in 
t\  pops  the  top  of  the  stack  into  the  variable  T.  The  operation  at  £4  pushes  both  the  right  subtree 
and  the  left  subtree  of  T  onto  the  top  of  the  stack. 

At  any  iteration  of  the  program,  the  stack  S  contains  the  list  of  subtrees  of  X  whose  nodes 
have  not  yet  been  counted.  The  iteration  removes  one  such  subtree  from  the  stack.  If  it  is  the 
empty  subtree,  T  =  A,  we  proceed  to  examine  the  next  subtree  on  the  stack.  If  it  is  not  the  empty 
subtree  we  add  one  to  the  counter  C  and  pushes  the  left  and  right  subtrees  of  T  to  the  stack. 
When  the  stack  is  empty,  5  =  ( ),  the  program  halts. 

Denoting  by  |T|  the  number  of  nodes  in  a  tree  T  we  can  express  the  statement  of  partial 
correctness  of  the  program  TN  by: 

*  U\atte  DC  =  pf|]. 

The  actual  initial  condition  associated  with  the  proper  computation  is 
at l0  A  S  =  {X)  A  C  =  0. 


Example: 

As  a  more  complex  example  consider  again  the  program  BC  for  the  concurrent  computation 
of  a  binomial  coefficient. 


The  statement  of  partial  correctness  to  be  proved  there  is: 
*  (0  <  k  <  n)  D  DKatfe  A  atme)  3  y3  =  (*)]. 


That  is,  every  properly  initialized  execution  of  the  program  BC  that  terminates  satisfies  ^3  =  (£) 
at  its  termination  point.  The  actual  initial  condition  associated  with  the  proper  computation  is 

att0  A  atmQ  A  Vi  =  n  A  1/2=0  A  1/3  =  1  A  1/4  =  1  A  0  <  fc  <  n.  | 


b.  Clean  Behavior 

For  every  location 'in  a  program  we  can  formulate  a  cleanness  condition  that  states  that 
the  instruction  at  this  location  will  execute  successfully  and  will  generate  no  execution  faults 
(exceptions).  Thus  if  the  statement  contains  a  division,  the  cleanness  condition  will  include  the 
clause  specifying  that  the  divisor  is  nonzero  or  not  too  small  (to  avoid  arithmetic  overflow).  If 
the  statement  contains  an  array  reference,  the  cleanness  condition  will  state  that  the  subscript 
expressions  are  within  the  declared  range.  Denoting  the  cleanness  condition  at  location  l  by  at, 
the  statement  of  clean  behavior  is: 

N  tp(x)  D  □  /\{aU  D  a*). 
t 

The  conjunction  is  taken  over  all  “potentially  dangerous”  locations  in  the  program. 

Example: 

The  factorial  program  F  above  should  produce  only  natural  number  values  during  its  com¬ 
putation.  A  cleanness  condition  at  £x,  which  is  clearly  a  critical  point,  is  (under  the  precondition 
x  >  0) 

N  (x  >  0)  D  n[attt  D  (»i  >  0)], 

guaranteeing  that  the  subtraction  performed  at  £t  always  yields  a  natural  number.  Note  that  we 
have  not  indicated  that  is  an  integer;  such  type  considerations  will  be  ignored  in  our  discussions. 


Example: 

If  a  program  contains  the  instruction 

t  ■  if  2/1  >  i/2  then  yx  :=  (5(ij  -r-  y2), 

where  -j-  is  the  integer-division  operator  and  the  range  of  the  array  subscript  i  is  between  1  and 
m,  then  the  cleaness  condition  at  l  can  be  expressed  as  follows: 

N  □{[<!<*  A  (yx  >  y2)\  =>  [(1  <  t  <  m)  A  (1/2  ^  0)]}.  | 


I 

Example: 

A  clean  behavior  statement  for  the  tree  node  counting  program  TN  is  given  by: 
b  □[(«</,  DS^O)  A  [att4DT^  A)). 
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This  ensures  that  no  attempt  is  made  to  pop  an  empty  stack  or  to  decompose  an  empty  tree.  | 


Example: 

In  the  binomial  coefficient  program  I3C  an  appropriate  and  crucial  cleanness  statement  is  given 
by: 


*  (0  <  k  <  n)  3  □{a<m4  3  [{y2  ^  0)  A  (j/3  mody2  =  0)|}. 

That  is,  whenever  we  reach  the  location  in  a  proper  computation  of  DC,  2/3  is  evenly  divisible 
by  2/2.  I 

A  general  concern  in  the  considerations  of  clean  behavior  is  the  compatibility  of  values  with 
types.  In  the  presence  of  dynamic  types  we  should  also  worry  about  the  compatibility  of  types. 


c.  Global  and  Local  Invariants 

Very  frequently,  invariant  properties  arc  not  related  to  any  particular  location.  In  general,  some 
properties  may  be  invariant  independent  of  the  location.  In  these  cases  we  speak  of  global  invariant a, 
j'.e.,  invariants  unattached  to  any  particular  location.  The  expression  of  global  invariance  is  even 
more  straightforward.  Thus,  we  write 

N  <p(x)  3  DP, 

to  state  that  property  f)  holds  at  all  times  during  a  proper  computation. 

Example : 

In  the  factorial  program  F  above,  to  claim  that  y  1  is  always  a  nonnegative  integer,  we  may 
write: 


N  (x  >  0)  3  D(yi  >  0). 

Another  valid  global  invariant  for  this  program  is: 

(x  >  0)  3  m(y2  •  yi!  =  xl), 

which  states  that  y2  •  yi !  =  x!  at  all  steps  of  the  execution.  | 

Example: 

For  the  binomial  coefficient  program  BC,  an  appropriate  global  assertion  would  be: 

*  (0  <  k  <  n)  3  □((n  —  fc  <  yi  <  n)  A  (0  <  y2  <  fc)].  I 

Another  interesting  set  of  properties  are  invariance  properties  which  are  attached  to  particular 
locations,  but  not  necessarily  to  the  exit  locations  of  the  program.  These  properties  are  particularly 
important  for  programs  which  have  no  exits  and  are  expected  to  run  indefinitely. 
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We  refer  to  such  properties  as  local  invariants  and  write 

*  □  (alt  D0) 

to  indicate  that  a  statement  (5  is  true  whenever  we  are  at  a  certain  location  l.  Partial  correctness 
is  actually  a  local  invariant  referring  to  the  exit  locations. 

Example: 

In  the  TN  program  for  counting  the  nodes  in  a  tree,  we  can  express  as  a  local  invariant  the 
fact  which  is  true  whenever  we  visit  the  location  Iq'i  namely, 

*  n[atto  D  (5>|  +  C  =  |*I)1. 

tes 

i.e.,  the  sum  of  the  number  of  nodes  in  all  the  subtrees  currently  in  the  stack  plus  the  current  value 
of  the  counter  C  is  invariant  at  £q  and  equals  the  number  of  nodes  in  the  tree  X .  | 

Invariants  can  also  be  used  in  the  context  of  a  program  whose  output  is  not  necessarily  apparent 
at  the  end  of  the  execution;  for  example,  a  sequential  program  whose  output  is  printed  on  an 
external  file  during  the  computation. 

Example: 

Consider  the  following  program  PR  for  printing  the  infinite  sequence  of  successive  prime 
numbers 

2,  3,  5,  7,  11,  13,  17,  .... 

Program  PR  ( Printing  the  prime  numbers): 

2/i  :=  2 

to  ’  print(yi) 
f-i  •  Vi  l/i  +  1 
4  •  2/2  :=  2 

4  •'  if  (2/2)2  >  y  t  then  goto  to 
£4  :  if  (y  1  mod  1/2)  =  0  then  goto  ly 

4  ■  2/2  :=  2/2  +  1 

4  :  goto  l3 

A  part  of  the  correctness  statement  for  this  program  is: 

P  D(at4  3  prime(yi))', 
it  indicates  that  only  primes  are  printed.  | 

Next  we  will  examine  some  properties  which  arc  meaningful  only  for  concurrent  programs. 
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d.  Mutual  Exclusion 


The  notions  of  critical  sections  and  mutual  exclusion  were  introduced  earlier,  but  let  us  briefly 
review  them. 

Consider  two  processes  Pi  and  P2  being  executed  in  parallel.  Assume  that  each  process  contains 
a  section  C,  C  L„  for  i  =  1,2,  which  includes  some  task  critical  to  the  cooperation  of  the  two 
processes.  For  example,  it  might  access  a  shared  device  (such  as  a  disk)  or  a  shared  variable.  If 
the  nature  of  the  task  is  such  that  it  must  never  be  done  by  both  of  them  simultaneously,  we  call 
these  sections  critical  sections.  The  property  stating  that  the  processes  will  never  simultaneously 
execute  their  respective  critical  sections  is  called  mutual  exclusion  with  respect  to  this  pair  of 
critical  sections. 

The  property  of  mutual  exclusion  for  C\  and  C2  can  be  described  by: 

*  y2(x)  3  Q~(atCi  A  atC2). 

This  states  that  it  is  never  the  case  that  the  joint  execution  of  the  processes  reaches  Cj  and  C2 
simultaneously. 

Example: 

Consider  again  the  consumer-producer  program  CP.  The  sections 
C\  ~  {lz,ln,t*,}  in  Pi 

and 

C2  =  {m2,m3,m4,m5}  in  P2 

are  obviously  critical  sections  since  they  make  several  accesses  to  the  shared  variable  b.  In  order 
to  obtain  the  correct  result  it  must  be  ensured  that  no  other  accesses  to  b  are  made  during  the 
computation  involving  6. 

The  mutual  exclusion  property  in  this  case  can  be  expressed  by: 

I*  □~(afC'i  A  atCi), 

where  the  initial  condition  associated  with  the  proper  computations  is: 

atl0  A  atm0  A  b  =  A  A  s  =  l  A  cf  =  0  A  ce  —  N. 

The  formula  states  that  we  can  never  simultaneously  be  in  both  critical  sections  Ci  and  C2.  Note 
that  actually  it  suffices  to  prove 

*  □~(a</3  A  atm2). 

This  is  so  because  there  exists  an  execution  in  which  atl2  A  alm2  in  some  state  if  and  only  if  there 
exists  an  execution  in  which  atC\  A  atC2  in  some  state.  | 


Example: 

Similarly  a  statement  of  mutual  exclusion  for  the  program  DC  computing  the  binomial  coefficient 
is  given  by: 

£  (0  <  fc  <  n)  3  □ — [atti.A  A  atrrn..6). 

Here,  we  follow  our  convention, 

att2.A  denotes  7Ti  6  {Z2,Z3,Z4} 


and 


otm4.. 6  denotes  7r2  €  {m^ms^s}.  | 


e.  Deadlock  Freedom 

A  concurrent  program  consisting  of  m  processes  is  said  to  be  deadlocked  if  no  process  is  enabled. 
This  leaves  the  idling  step  as  the  only  possible  choice  of  the  scheduler.  The  rest  of  the  computation 
will  therefore  consist  of  an  endless  repetition  of  the  current  deadlocked  state.  Clearly  in  a  deadlock 
situation  each  process  P}  must  be  blocked  at  a  location  Z  £  L}  whose  full-exit  condition  Et  is  false 
for  the  current  value  fj  of  y.  Therefore  the  only  potential  deadlock  locations  are  those  Z  for  which 
Et  is  not  identically  true.  We  refer  to  such  locations  as  watting  locations.  The  terminal  location  Ze 
is  also  considered  to  be  a  waiting  location.  However,  the  special  case  in  which  all  processes  are  at 
their  respective  Ze  locations  is  not  considered  to  be  a  deadlock  but  rather  a  termination. 

Let  us  therefore  consider  a  tuple  Z  =  (Z1,  . . .  ,  Zm)  of  waiting  locations,  t>  £  L},  not  all  of 
which  are  terminal  locations.  Let  Elt  ...  ,Em  be  their  associated  full-exit  conditions.  To  prevent 
a  deadlock  at  Z  we  require: 


N  <p{x)  3  □(  /\  at  l3  3  V  *><«>• 

}  —  t  >  =  1 

This  indicates  that  whenever  all  the  processes  are  each  at  V ,  j  —  1,  . . .  ,m,  at  least  one  of  them 
is  enabled.  The  corresponding  process  can  then  proceed  and  deadlock  is  averted. 

In  order  to  eliminate  the  possibility  of  a  deadlock  in  the  full  program,  we  must  impose  a  similar 
requirement  for  every  possible  n-tupie  of  waiting  locations,  excluding  le  =  (Z^,  . . .  ,Z7*). 


Example: 

In  the  consumer  producer  program  CP,  the  complete  deadlock  freedom  condition  will  be 
expressed  as 

*  □{  [(atZi  A  atm0 )  D  (ce  >  0  V  cf  >  0)] 

A  ((afZi  A  afmij  D  (ce  >  0  V  s  >  0)) 

A  [(aZZ2  A  atm0)  D  (s  >  0  V  cf  >  0)] 
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A  ((at/2  A  atmi)  3  (s  >  0))  }.  | 


f.  generalised  deadlock 

We  may  generalize  the  definition  of  waiting  locations  to  also  include  looping  instructions  of 
the  form: 


£ :  loop  until  p(y)  or  l :  loop  while  ~p(y). 

Obviously,  being  trapped  at  a  tuple  (£l,  ... ,£m )  some  of  whose  locations  are  looping  locations, 
with  y  =  fj  such  that  p(rj)  —  false  for  their  escape  conditions,  is  just  as  bad  as  a  deadlock.  Formally 
such  a  situation  is  not  a  deadlock  since  (he  execution  of  the  self-transitions  in  the  looping  locations 
is  not  officially  an  idling  step.  But  it  is  also  self-evident  that  these  steps  cannot  alter  the  state  and 
the  computation  will  remain  trapped  forever. 

Let  us  therefore  call  a  generalized  deadlock  situation  to  be  a  state  3  =  (/*,.. .  ,£m;  77)  such 
that  each  is  either  a  waiting  location  or  a  looping  location,  and  such  that  £t(f))  =  false  for 
each  t  =  1,  . . .  ,m.  The  escape  condition  £t(y)  corresponding  to  location  P  is  taken  as  the  exit 
condition  Et.(y)  if  P  is  a  semaphore  location,  false  if  £x  is  a  terminal  location  £[,  and  the  condition 
for  getting  out  of  the  self-loop  if  t  is  a  looping  instruction  of  the  form 

C  :  loop  until  £l[y)  or  £'  :  loop  while  ~£,[y). 

Then  again  the  statement  ensuring  prevention  of  generalized  deadlock  at  a  tuple  I  =  (/*,  . . .  ,Zm) 
is  the  requirement 

Wl  T7t 

*U(/\at£’  3  VW 

y=i  j=i 


Example : 


Consider  the  binomial  coefficient  program  BC.  A  statement  of  the  impossibility  of  general 
deadlock  at  the  potentially  dangerous  locations  is  given  by: 


»*  (0  <  Jfe  <  n)  3  □{ 

A 

A 

A 

A 


((at  £1  A  afm3)  3  (y4  >  0)) 

((a</i  A  atme)  D  (y4  >  0)) 

\{at£e  A  atm2)  3  (yi  +  y2  <  n)) 

[(af/e  A  atm3)  3  (y4  >  0)] 

[(a(/i  A  af  m2)  3  (y4  >  0  V  yi  +  y2  <  n))}. 


This  statement  ensures  that  if  execution  is  at  (fpmj)  then  y4  >  0  and  one  of  the  processes  is 
able  to  proceed;  if  one  of  the  processes  is  ever  at  its  terminal  location  the  other  process  is  not 
deadlocked  at  its  request  instruction  or  trapped  at  its  loop  instruction;  and  if  the  execution  is  ever 
at  (fi,m2)  then  either  y4  >  0  or  y\  -f-  yz  <  n,  thus  either  enabling  Pi  or  permitting  P2  to  exit 
from  its  self-loop.  | 
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EVENTUALITY  (LIVENESS)  PROPERTIES 


A  second  category  of  properties  are  those  expressible  by  formulas  of  the  form: 

(*  tui  D  0 103. 

This  formula  states  that  for  every  proper  computation,  if  W\  is  initially  true  then  102  must  eventually 
be  realized.  In  comparison  with  invariance  properties  that  only  describe  the  preservation  of  a 
desired  property  from  one  step  to  the  next,  an  eventuality  property  guarantees  that  some  event 
will  finally  be  accomplished.  It  is  therefore  more  appropriate  for  the  statement  of  goals  which  may 
need  many  steps  to  be  realized. 

Note  that  because  of  the  suffix  closure  of  the  set  of  proper  computations  this  formula  is 
equivalent  to: 

ts  □(iu1  D  Ou/2) 

which  states  that  whenever  wi  arises  during  the  computation  it  will  eventually  be  followed  by  the 
realization  of  102. 

A  property  expressible  by  such  a  formula  is  called  an  eventuality  (liveness)  property  ([OL]). 
Following  are  some  samples  of  eventuality  properties. 


a.  Total  Correctness 

This  property,  like  partial  correctness,  is  meaningful  only  for  programs  with  terminal  locations, 
i.e.,  programs  that  are  expected  to  terminate  in  contrast  to  continuous  (cyclic)  programs. 

A  program  is  said  to  be  totally  correct  with  respect  to  a  specification  (<p,ip),  if  for  all  input 
values  x  satisfying  <p(x),  termination  is  guaranteed,  and  the  output  values  y  upon  termination 
satisfy  ip(x,y).  Once  more,  let  £e  denote  the  exit  points  of  the  program.  Total  correctness  w.r.t. 
(ip,  tl))  is  expressible  by: 

N  <p(x)  3  O (atTe  A  r!)(x,y)). 

This  says  that  if  we  have  an  admissible  execution  sequence  beginning  in  a  state  which  is  at  locations 
l0  and  has  values  y  =  fo[x)  where  ip(x)  is  true,  then  later  in  that  execution  sequence  we  are 
guaranteed  to  have  a  state  which  is  at  te  and  satisfies  ip(x,y). 

Example: 

The  statement  of  total  correctness  for  the  factorial  program  F  is: 

*  (1  >  0)  D  0(atle  A  jj  =  x\).  | 


Example: 

The  expression  of  total  correctness  for  the  tree  node  counting  program  TN  is  given  by: 
»  0(atte  A  C  =  |AT|).  | 
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Example'. 


The  statement  of  total  correctness  for  the  binomial  coefficient  program  BC  is  given  by: 
»  (0  <  k  <  n)  O  O(o</e  A  atme  A  2/3  =  (*)]•  I 


b.  Intermittent  Assertions 

Eventuality  formulas  enable  us  to  express  a  causality  relation  between  any  two  events,  not 
only  between  program  initialization  and  termination  but  also  between  events  arising  during  the 
execution.  This  becomes  especially  important  when  discussing  continuous  (cyclic)  programs,  i.e., 
programs  that  are  not  supposed  to  terminate  but  are  to  operate  continuously.  The  general  form 
of  such  an  eventuality  is: 

£  (atlAip)  D  0{atP 

and  it  claims  that  whenever  (in  a  proper  computation)  (f>  arises  at  l  we  are  guaranteed  of  eventually 
reaching  l '  with  <j>'  true.  This  is  the  exact  formalization  of  the  basic  Intermittent- Assertion 
statement  ([BUR],  [MW]): 

“If  sometime  <j>  at  l  then  sometime  <j>'  at  l'.” 


Example : 

Consider  the  program  TN  for  counting  the  number  of  nodes  in  a  tree.  An  important  intermit¬ 
tent  assertion  that  serves  as  a  basis  for  the  proof  of  its  correctness  is: 

(a  [attv  A  S  =  u-  s  A  C  =  c|  D  O[atl0  A  S  =  s  A  C  =  c- f  |u|[. 

Here,  u,  s  and  c  are  used  in  the  role  of  global  variables,  while  S  and  C  are  local  program  variables. 
This  statement  says  that  being  at  with  a  nonempty  stack  ensures  a  later  arrival  to  i0.  In  a 
subsequent  arrival  (not  necessarily  the  next  one),  the  top  element  of  the  stack  will  be  removed  and 
the  value  of  C  will  have  been  incremented  by  the  number  of  nodes  in  the  top  element. 

Example : 

Consider  again  the  program  PR  for  printing  successive  prime  numbers.  Under  the  invariance 
properties  we  expressed  the  claim  that  nothing  but  primes  is  printed 

(1)  *  □(at<0  D  prime(yl)). 

Now  we  can  state  that  the  proper  sequence  of  primes  is  produced.  The  property  that  every  prime 
number  is  printed  can  be  expressed  by 

*  [af /q  A  l/i  =  2  A  prime{u)\  D  O(ati0  A  yi  —  u). 


(2) 
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In  conjunction  with  the  invariance  property  (1),  this  statement  guarantees  that  all  printed 
results  arc  primes 

2,  3,  5,  7,  11,  13,  17, 

but  they  do  not  guarantee  that  some  primes  arc  not  printed  more  than  once  or  out  of  sequence. 
For  example,  the  sequence  of  integers 

3,  2,  5,  3,  7,  5,  11,  7,  13,  11,  ... 

T  T  t  t  T 

satisfies  the  statements  above. 

We  thus  have  to  add  an  additional  statement  that  will  guarantee  that  the  printed  sequence  is 
exactly  the  desired  one.  We  have  to  be  careful  in  devising  a  solution:  Note  that  the  statement 

[aUQ  A  Vi  =  «)  3  (H(a<4  3  !/i  >  a) 

does  not  resolve  the  problem!  Why? 

The  property  that  the  primes  arc  printed  in  order  can  be  expressed  by 

(3)  £  [atf-iAm—u]  D  O{atl0  D  yv  >  u). 

This  ensures  monotonicity  for  any  future  visit  to  £0.  | 


The  following  properties  are  of  interest  mainly  for  concurrent  programs  having  more  than  one 
process. 


c.  Accessibility 


Consider  again  a  process  that  has  a  critical  section  C.  In  the  previous  discussion  we  have  shown 
how  to  state  exclusion  (or  protection)  for  that  section.  A  related  and  complementary  property  is 
accessibility.  That  is,  if  a  process  wishes  to  enter  its  critical  section  it  will  eventually  get  there  and 
will  not  be  indefinitely  held  up  by  the  protection  mechanism.  Obviously  a  foolproof  protection 
mechanism  is  worthless  if  it  does  not  eventually  admit  the  process  into  its  critical  section. 

Let  be  a  location  just  before  the  critical  section.  The  fact  that  the  process  is  at  ly  indicates 
an  intention  to  enter  the  critical  section.  Let  C  be  the  set  of  locations  in  the  critical  section.  The 
property  of  accessibility  can  then  be  expressed  by 

*  atii  D  O  atC; 

namely,  whenever  the  program  is  at  t\,  it  will  eventually  get  into  C. 

A  correct  construction  of  critical  sections  should  ensure  these  two  complementary  properties: 
protection  (exclusiveness)  and  accessibility. 
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Example : 

For  the  consumer-producer  program  CP,  we  wish  to  express  the  property  that  whenever 
the  producer  is  at  £i  it  will  eventually  get  to  1 3  and  be  able  to  deposit  yt  in  the  buffer.  A 
symmetric  statement  expresses  accessibility  for  the  consumer:  whenever  the  consumer  is  at  mo  it 
will  eventually  get  to  m2.  The  conjunction  of  these  two  properties,  expressing  the  accessibility 
property  of  the  program,  is  given  by: 

£  [atli  D  Oa(4]  A  [atm 0  D  Oalmj], 


d.  Liveness 

A  more  general  class  of  eventuality  properties  arises  when  we  consider  the  notion  that  the 
computation  of  any  particular  process  must  eventually  progress.  Here  we  do  not  necessarily  restrict 
ourselves  to  locations  containing  semaphore  instructions. 

Consider  an  arbitrary  non-terminal  location  £  in  some  process  P,,  i.e.,  £  ^  £r  for  that  process. 
If  the  computation  of  this  process  is  to  proceed  we  cannot  remain  blocked  at  £  due  to  a  failure 
of  the  scheduler  to  schedule  process  l\.  Assuming  that  our  program  contains  self-loops  only  for 
waiting  purposes,  such  as  in  the  loop  instruction,  progress  in  Pt  is  observable  by  seeing  P,  moving 
from  a  state  of  at£  to  a  state  of  ~  at£.  Consequently,  the  properLy  of  liveness  for  a  general  location 
£,  £  7^  £e,  can  be  expressed  by: 

N  at£  D  O  ~  at£, 

i.e.,  if  we  arrive  at  this  location  we  will  eventually  move  out.  In  fact  we  can  simplify  this  formula 
to 


£  0~at£ 
which  is  equivalent  to 
M  ~  □  at  £, 

meaning  that  we  cannot  get  blocked  at  the  location  L 

The  property  of  livcness  is  also  known  as  absence  of  livelock  or  freedom  from  individual  star¬ 
vation.  A  livelock  (or  individual  starvation)  is  defined  as  a  situation  in  which  some  processes  which 
are  not  in  a  terminal  location  cannot  proceed  even  though  the  full  program  may  still  progress  by 
having  some  other  processes  execute.  Note  that  this  is  a  stronger  requirement  than  the  absence  of 
a  (generalized)  deadlock.  As  long  as  at  least  one  of  the  processes  can  proceed  the  program  is  not 
deadlocked. 


e.  Responsiveness 

A  very  important  class  of  programs  that  are  usually  modeled  as  concurrent  programs  are 
operating  systems  and  real-time  programs  such  as  airline  reservation  systems  and  other  online 
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data-base  systems.  These  programs  can  conveniently  be  considered  as  continuous  ( cyclic )  pro¬ 
grams  which  are  to  run  forever.  A  halt  in  these  programs  usually  indicates  an  error  condition. 
Consequently  these  programs  are  not  run  for  their  end  results  but  for  the  effects  produced  during 
their  endless  operation.  Thus  the  notions  of  total  and  partial  correctness  are  meaningless  and  have 
to  be  replaced  by  statements  about  the  programs’  continuous  behavior. 

A  property  usually  expected  of  such  programs  is  responsiveness. 

Example: 

Consider  a  continuous  program  (granter)  G  modelling  an  operating  system.  Assume  that  it 
serves  a  number  of  customer  programs  (requesters)  Rlt  ...,/?,  by  scheduling  a  shared  resource 
between  them.  The  resource  here  can  be  a  shared  disk,  main  memory,  etc.  Let  the  customer 
programs  communicate  with  the  operating  system  concerning  the  resource  via  a  set  of  boolean 
variables  {/,,(/,},  for  i  =  1,  . . .  ,t.  Here,  r,  is  set  to  true  by  the  customer  program  /?,  to  signal  a 
request  for  the  resource;  gt  is  set  to  true  by  G  signalling  to  Rt  that  it  has  been  granted  (allocated) 
the  resource.  After  using  the  resource,  the  customer  /?,  releases  the  resource  back  to  the  system 
G  by  setting  r,  to  false.  This  release  is  then  acknowledged  by  the  system  G  by  setting  gl  to  false. 

To  summarize: 

R,  signals  a  request  =>  r,  :=  true 
G  allocates  a  resource  =>  g,  true 
Rt  releases  the  resource  =»  r,  :=  false 
G  acknowledges  the  release  =>  g,  :=  false. 


The  statement  that  the  operating  system  fairly  responds  to  the  customer  requests  -  respon¬ 
siveness  -  is  given  by: 

a,  :  r,  3  O  gx, 

i.e.,  whenever  r,  becomes  true,  eventually  gt  will  turn  true.  Note  that  this  statement  does  not 
stipulate  that  r,  becomes  true  when  G  is  at  a  particular  location.  Consequently  it  can  express 
events  such  as  interrupts  or  unsolicited  signals  which  may  occur  at  any  arbitrary  moment. 

Similarly  we  have  to  ensure  that  the  system  acknowledges  the  release  of  the  resource  by  turning 
gt  to  false: 


bt  :  ~r,  D  0~g,. 


Furthermore,  the  system  cannot  hope  to  operate  successfully  if  it  does  not  enjoy  the  cooperation 
of  the  customer  programs.  For  example,  the  system  cannot  promise  R2  an  eventual  grant  of  the 
resource  if  Rit  who  currently  holds  the  resource,  does  not  ever  intend  to  release  it.  Consequently 
we  will  expect  the  Rt's  to  satisfy  some  proper  behavior  requirements,  namely  for  each  t: 


gt  3  O  ~r,. 
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This  statement  ensures  that  when  the  resource  is  granted  to  /?„  it  will  eventually  be  released. 


To  these  statements  we  will  usually  add  some  invariance  statements  ensuring  the  correct 
continuous  behavior  of  G.  One  such  statement  is 

d:  □(£><  1) 

*=1 

meaning  that  at  any  particular  time  the  system  grants  the  resource  to  at  most  one  requester.  This 
is  a  type  of  a  mutual  exclusion. 

Denote  the  correct  behavior  statement  of  G  by 

t  t 

=  A  a‘  A  A  6,  A  d 

•=i  *=i 

and  the  correct  behavior  expected  from  the  Rt' s  by 

t 

^  =  A c* 

»=t 

The  problem  of  proving  the  correct  behavior  of  G  can  be  approached  in  two  different  ways: 

•  Consider  a  concurrent  program  P  that  consists  of  G  alone.  The  r,’s  and  g,’s  are  then 

considered  as  input/output  variables,  where  the  r,’s  are  supposed  to  be  set  by  the  external 
agents  fij,  . . .  ,Rt. 

For  this  program  we  would  prove: 

£  Dp  D  □  ip. 

That  is,  provided  the  external  communication  <p  continuously  behaves  properly  we  can 
promise  the  correct  behavior  r(i  of  G. 

•  As  another  alternative  consider  the  concurrent  program  P  that  consists  of  G  running  together 

with  R\ ,  ...  ,Rt,  i.e. 

P  =  (r,g)  :=  (false,  . . . ,  false);  [GH/MI . . .  \\Rt\. 


For  each  here  we  substitute  a  simplified  model  that  guarantees  to  maintain  Dc,.  Such 
a  model  can  be  represented  as: 

to  :  execute 

tx  :  n  :=  true 

to  :  wait  until  gi 

I3  :  compute  { use  resource } 

£4  :  :=  false 

t$  :  wait  until  ~g. 
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:  go  to  to 

—  Customer  Program  R%  — 


If  we  believe  that  our  model  for  Rt  faithfully  represents  the  real  Rt  as  far  as  communication 

with  G  is  concerned,  we  can  proceed  to  prove 

|a  n(<p  A  Ip) 

to  ensure  the  correct  behavior  of  P. 

Thus  the  two  modelling  alternatives  available  to  us  are  the  following:  either  considering  G 
alone  communicating  with  the  external  world  via  the  r,,  g ,  variables,  or  considering  a  combined 
system  of  G  together  with  Ru  . . .  ,Rt.  In  the  first  case  the  proper  behavior  of  the  external  world 
has  to  be  promised  through  a  continuous  maintainance  of  <p.  In  the  second  case  the  proper  behavior 
of  the  Rt’s  is  proven  at  the  same  time  as  the  proper  behavior  of  G. 

The  same  analysis  can  of  course  be  conducted  for  other  situations  where  a  program  communi¬ 
cates  with  external  devices  and  is  expected  to  respond  properly  to  incoming  signals.  | 

The  application  of  the  temporal  formalism  to  the  problems  of  responsiveness  points  out  its 
power.  Invariances  and  total  correctness  are  long-known  properties  and  many  special  formal 
systems  and  methodologies  have  been  proposed  and  successfully  implemented  for  their  analysis  and 
proofs.  The  temporal  logic  contribution  to  this  problem  is  a  uniform  treatment  and  an  explicit 
direct  expressibility.  In  contrast,  the  discussion  of  responsiveness  is  relatively  recent;  no  prior 
formalism  addressed  itself  to  the  description  and  proof  of  these  properties. 

PRECEDENCE  (UNTIL)  PROPERTIES 


The  third  class  of  properties  to  be  considered  are  those  properties  which  are  expressible  using 
the  until  operator. 

In  their  simplest  form  they  will  be  expressed  by  statements  of  the  type: 

N  Will  U>2 ■ 

This  statement  says  that  in  all  proper  computations  of  P  there  will  be  a  future  instance  in  which 
u>2  holds  and  such  that  w\  will  hold  until  that  instance.  Recall  that  the  formal  meaning  of  the 
until  operator  was  given  by 


Wi  U  vj2\ff  =  true 


iff 


for  some  k  >  0, 


w2\ffW  =  true  and 

for  all  i,  0  <  i  <  k,  u)i|^(i)  =  true. 


Note  that  we  require  i  <  k  and  not  i  <  k.  Thus,  the  formula  u>i  U  w2  expresses  the  exclusive  form 
of  the  until  operator  since  wj  is  required  to  hold  until  the  instant  that  u>2  becomes  true  but  not 
including  that  instant.  The  corresponding  inclusive  until  property  that  requires  tui  to  be  true  up 
to  and  including  the  instant  in  which  ui2  becomes  true  can  be  expressed  by  the  formula 


wi  U  ( u>i  A  u>2). 
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The  until  operator  is  also  very  useful  in  expressing  precedence  relations  between  events.  We 
define  the  derived  precede  operator  P  by: 

toi  P  w2  is  ~(( — ioi)  U  u/j). 


This  makes  P  the  dual  of  U  in  a  similar  way  to  □  being  the  dual  of  O.  The  statement  wi  P  w2, 
read  wi  precedes  w2,  states  that  if  w2  ever  happens  it  will  not  happen  until  toj  happens  first.  This 
is  equivalent  to  stating  that  the  first  instance  of  u/i  (observed  from  the  present)  strictly  precedes 
the  first  instance  of  w2.  The  formal  meaning  of  the  precede  operator  can  be  given  by 


wiPw2\ff  =  true 


iff 


for  every  k  >  0, 


if  w2|  “(fc)  =  true 

then  for  some  i,  0  <  t  <  k,  twi|^(»)  =  true. 


Note  that  we  have  again  i  <  k  and  not  i  <  k.  Thus,  the  precedes  operator  P  is  again  an  exclusive 
operator,  expressing  strict  precedence  between  u>i  and  w2. 

If  we  wish  to  express  inclusive  precedence,  allowing  the  first  instances  of  wi  and  w2  to  coincide, 
we  may  use 

lUl  P  (~W[  A  tU2). 


To  show  that  this  indeed  expresses  inclusive  precedence,  we  may  substitute  ~tt>i  A  vj2  for  w2  in 
the  definition  above  to  obtain  after  some  manipulation: 


u>i  P  ( — w\  A  t«2)|^(fc)  =  true  if  and  only  if 


'for  every  k  >  0, 
if  w2\p{k)  ~  true 
then  WilpW  =  true 

or  for  some  t,  0  <  i  <  k,  wi|a(t)  =  true 


showing  that  the  first  instance  of  u>2  either  coincides  with  an  instance  of  w1  or  is  preceded  by  such 
an  instance. 

While  Wi  U  u>2  implies  that  w2  is  bound  to  happen,  this  is  not  guaranteed  by  w j  P  w2.  In  fact, 
if  w2  never  happens  then  ioi  P  w2  holds  for  every  wi. 

Several  obvious  properties  of  the  precedes  operator  may  be  derived  from  corresponding  properties 
of  the  U  operator  and  the  definition  of  P.  Among  them  are: 


1.  N  w  P  v)  =  □  ~iu 

2.  Wj.  P  w 2  A  vi2  P  w2  D  Wi  P  U>3 

3.  N  wi  P  w2  =  ~iti2  A  (iwi  V  0(iui  P  u/2)] 

4.  N  D~iy2  3  twi  P  w2 

5.  ^  Wi  P  w2  V  u>2  P  Wi  V  A  w2) 

6.  w\  P  w2  V  vu2  P  (~w2  A  u>i) 

7.  f=  WiU  w2  =  ~( — Wi  P  w2). 
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Statement  1  says  that  to  may  precede  itself  iff  it  never  happens,  since  no  event  can  come  before 
the  first  occurrence  of  that  event. 

Statement  2  indicates  the  transitivity  of  the  precedence  relation.  It  says  that  if  tot  precedes 
w2  which  precedes  103  then  10 1  precedes  W3. 

Statement  3  gives  an  inductive  characterization  of  the  P  operator.  It  says  that  101  precedes 
u»2  iff  >s  presently  false  and  either  tot  is  true  now  or  precedes  to 2  when  observed  from  the 
next  instant. 

Statement  4  says  that  if  w2  never  happens  then  obviously  w t  precedes  w2,  for  every  wt. 

Statements  5  and  G,  each  characterizes  the  linearity  of  time.  Statement  5  says  that  for  every 
two  events  w\  and  w2,  either  101  precedes  w2  or  w2  precedes  toi  or  both  occur  at  the  same  time. 
Statement  6  says  that  for  every  two  events  w\  and  to2,  either  wy  strictly  precedes  w2  or  w2  weakly 
precedes  w  1. 

Statement  7  shows  that  the  U  operator  itself  is  expressible  by  the  P  operator. 

We  will  consider  formulas  involving  the  P  operator  as  belonging  to  the  class  of  until  properties. 
We  discuss  below  several  subclasses  of  properties  involving  the  U  and  P  operators. 


a.  Safe  Liveness 

We  may  interpret  invariance  properties  as  an  assurance  that  nothing  bad  will  happen,  and 
liveness  properties  as  a  promise  that  something  good  will  eventually  happen.  Consistent  with  this, 
wc  may  want  to  ascertain  that  nothing  bad  happens  until  something  good  happens.  This  is  exactly 
expressible  by 

N  Will  w2, 

where  toj  is  a  safety  property  that  we  wish  to  maintain  [e.g.,  clean  behaviour  and  global  assertions), 
while  w2  is  a  liveness  property  that  wc  want  ultimately  to  achieve  {e.g.,  termination  and  correct* 
ness).  It  is  recommended  that  a  full  specification  of  a  program  should  always  be  expressed  as  an 
until  expression  £  w\  U  w2,  i.c.,  achieve  w2  while  maintaining  w j. 

In  some  cases  the  “until”  notation  is  just  a  conveniently  expressed  combination  of  safety  and 
liveness  properties  since: 

N  (□  Wi  A  O  w2)  D  wi  U  w2. 

However  the  more  interesting  case  is  when  u>!  holds  up  to  but  not  including  the  instant  in  which 
w2  happens.  Then  it  is  no  longer  true  that  Dtui  is  a  program- valid  statement. 

The  until  operator  can  also  be  used  to  express  “first- time”  properties.  Recall  that  a  formula 
of  form 


*  {alt  A  4>)  3  0{att'  A  <(>') 

expresses  the  some- time  property:  If  the  program  is  at  l  and  tj>  is  true,  then  sometime  (eventually) 
the  program  must  reach  i'  with  <f>'  being  true.  Similarly,  a  formula  of  form 

*  [aU  At)  D  \{~  all')U{att'  A  <(>')] 
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expresses  the  first-time  property:  If  the  program  is  at  l  and  $  is  true,  then  sometime  the  program 
must  reach  if,  and  on  the  first  visit,  <f>'  will  be  true. 

Example: 

The  safety  and  liveness  properties  for  the  binomial  coefficient  program  BC  can  be  stated  as: 

N  (0  <  k  <  n)  D 

{  [(afm4  O  (t/2  7^  0)  A  (j/3  mod  y2  =  0)) 

A  (n  —  k  <  yi  <  n)  A  (0  <  y2  <  *0) 

U 

[atle  A  atme  A  J/3  =  (£)1  }• 

That  is,  achieve  termination  and  correct  result  while  maintaining  clean  behavior  and  global  in¬ 
variances.  | 

b.  Absence  of  Unsolicited  Response 

Let  i»i  3  Ok»2  be  a  statement  of  responsiveness  which  guarantees  that  to  every  situation  in 
which  w\  is  true  the  program  responds  by  making  w2  true.  We  often  wish  to  complement  this 
statement  by  requiring  that  on  the  other  hand,  w 2  will  never  happen  unless  preceded  by  w j,  i.e.  the 
program  does  not  respond  unless  explicitly  requested.  This  of  course  is  expressible  as: 

Wi  P  w2, 

meaning  that  there  is  always  a  w\  preceding  every  w2- 

There  is  however  a  problem  associated  with  the  interpretation  of  the  formal  statement  above 
as  expressing  our  intuitive  requirement.  Assume  a  situation  in  which  wi  occurs  at  and  w2  indeed 
follows  at  t2,  t2  >  1 1,  and  neither  nor  w2  is  true  between  1 1  and  t2.  If  we  try  to  test  the 
statement:  “wi  precedes  w2"  at  any  (3,  tj  <  t3  <  t2,  it  will  turn  out  to  be  false,  since  the  first 
event  following  t3  is  w2  rather  than  wi.  Thus  we  have  to  be  careful  to  restrict  our  statement  to 
only  such  reference  points  from  which  the  precedence  relation  can  be  safely  observed. 

Thus  a  more  careful  description  of  the  no-request-no-response  statement  is: 

*  (att0  D  Wi  P  w2)  A  \[w2  A  O  ~iy2)  3  0(u>i  P  w2)]. 

This  selects  as  good  reference  points  from  which  the  precedence  of  u>i  to  w2  may  be  observed  either 
the  starting  point  of  the  computation,  or  an  instant  in  which  w2  is  true  and  is  changing  to  false  in 
the  next  instant.  In  the  later  case  w\  P  w2  begins  to  hold  only  in  the  next  instant. 

In  most  practical  cases  we  have  additional  information  about  the  behavior  of  iuj  and  u/2  that 
helps  us  formulate  the  requirements  in  simpler  terms.  Thus  if  we  knew  that  once  wi  was  raised 
and  not  yet  answered  by  a  w2  it  stays  true  until  answered,  the  above  problem  would  not  have  risen. 
Instead  we  could  use  the  simpler 

b  (atto  V  Wi )  D  Wi  P  w2. 
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Example. 


Let  us  reconsider  the  example  of  the  operating  system  model:  an  allocator  ( granter )  G  that 
allocates  a  resource  between  customers  ( requesters )  Ri,  ...  ,Rt.  Customer  Rt  signals  its  requests 
by  setting  r,  to  true.  The  allocator  G  eventually  responds  by  setting  g ,  to  true.  The  customer 
eventually  releases  the  resource  by  setting  r,  to  false  which  the  allocator  acknowledges  by  setting 
g ,  to  false. 

This  simple  communication  protocol  between  a  particular  customer  Rt  and  the  allocator  can 
be  specified  by  the  following  four  invariants: 

1.  ¥ 

This  says  that  if  r,  is  true  and  gt  is  false,  meaning  that  Rt  is  requesting  the  resource  but  has  not 
yet  been  granted  its  request,  Rt  should  persist  in  its  request  by  leaving  r,  on  for  the  next  instant. 
Note  that  we  exclude  instantaneous  response  by  using  the  current  values  of  r,  and  gt  to  determine 
the  next  value  of  r,. 

2.  N  (r,  A  gt)  3  O  gt. 

This  states  that  if  the  resource  has  been  granted  to  R,,  then  the  allocator  is  not  allowed  to  withdraw 
its  grant  until  the  resource  is  released  by  R„  by  setting  r,  to  false. 

3.  N  (~r,  A  ff.)  3  O  ~r». 

This  states  that  if  the  allocator  has  not  yet  acknowledged  the  release  of  the  resource  by  R,,  then 
R,  may  not  issue  a  new  request. 

4.  ¥  (~r,  A  3  O 

This  states  that  if  the  resource  is  not  currently  allocated  to  R,  nor  is  /?,.  requesting  it,  the  allocator 
should  not  grant  the  resource  to  a  process  which  is  not  requesting  it.  This  is  exactly  our  requirement 
of  no  unsolicited  responses  for  this  case. 

These  four  demands  with  the  additional  responsiveness  requirement 

5.  N  r.DOft 

6.  N  g,  3  O  — ri 

7.  N  3  O 

ensure  the  correct  and  proper  behavior  of  the  system. 

The  four  statements  1-4  above  characterize  the  behavior  of  the  program  by  immediate  transi¬ 
tion  rules.  Since  it  is  not  always  obvious  what  are  the  global  consequences  of  such  local  constraints, 
we  would  prefer  to  specify  them  in  a  more  global  style.  Such  specifications  can  be  given  by: 

(a)  ¥  rt  3  [r,  U  (ffi  A  u)} 

(b)  ¥  gt  3  [g,  U  (~tj  A  g*)\ 
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'VT  *  , 


(c)  *  ~r,  3  ( — ri  U  ( — g%  A  ~ri)l 

(d)  ►  3  (ri  P  gt) 

which  replace  1-7. 

Statement  (a)  says  that  if  r,  is  true  it  will  remain  true  until  g,  is  granted.  Statement  (b)  says 
that  if  the  resource  is  granted  it  will  remain  granted  until  released.  Statement  (c)  says  that  if  the 
resource  has  been  released  it  will  ••  be  requested  again  until  the  release  has  been  acknowledged. 
Statement  (d)  says  that  if  gt  is  no.-  irrently  allocated,  its  next  allocation  must  be  preceded  by  a 
request.  I 


c.  Fair  Responsiveness 

In  many  situations  we  have  the  precedence  of  two  events  ipi  and  fa,  i.e.,  rpi  precedes  fa  only 
when  two  earlier  events  <f> i  and  <j>2  occurred  in  the  same  order,  i.e.  <f>i  precedes  fa.  We  will  refer 
to  such  situations  as  conditional  precedence.  It  is  expressible  by  the  statement: 

( <t>i  P  fa)  (</>i  P  V»2)- 

This  says  that  if  <f>i  (strictly)  precedes  fa  then  ipi  will  (strictly)  precede  ^>2- 
Coupled  with  the  implications 

fc  <j>x  3  O  ipt  and  £  fa  3  Ot/>2 

which  ensure  responsiveness,  the  conditional  precedence  sharpens  our  committment  to  fair  respon¬ 
siveness.  That  is,  if  we  interpret  N  ^  3  O^i  and  N  fa  3  O  fa  as  describing  a  response 
V>,  to  a  request  <px,  then  responsiveness  says  that  every  request  will  eventually  be  honored  by  a 
response.  The  fair  responsiveness  establishes  a  first-come-first-serve  discipline  by  ensuring  that  if 
tpi  preceded  fa  then  the  response  to  <j>i,  namely  ip\,  will  precede  the  response  to  fa,  i.e.  ip?. 

Example : 

Let  us  consider  again  the  problem  of  the  granter  (allocator)  and  his  serviced  customers  (requesters). 
We  may  impose  a  fairness  requirement  on  his  responsiveness  obligations  by  insisting  on  a  first- 
come-first-serve  policy.  This  would  be  expressed  by: 

»  (r,  P  Tj)  3  (pi  P  gf). 

This  means  that  if  customer  Rx  placed  his  request  before  customer  R}  he  will  be  serviced  prior  to 
customer  However,  we  again  must  be  careful  to  state  this  only  in  “quiescent”  reference  points. 
For  example,  if  g,  is  currently  true,  while  both  r,  =  r,  =  false,  a  situation  which  may  occur  just 
at  the  end  of  a  granting  period  to  R},  we  certainly  cannot  promise  that  gx  will  precede  g}. 

A  reasonable  set  of  reference  points  is  such  instants  in  which  g,  is  currently  false.  Thus  the 
conditional  precedence  statement  restricted  to  these  observation  points  is: 

*  (~fc)  ^  ((r<  P  rj)  3  (p,  P  Jj)]  | 
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Example: 

Consider  a  pair  of  processes  where  the  critical  sections  Cy  =  {£2,(3}  an^  @ 2  =  {m2tm3}  ar® 
mutually  protected  by  semaphores: 

y  ■■=  1 


to  :  execute 
£y  :  request(y) 
£2  :  compute 
I3  :  release(y) 
l\  :  go  to  £0 


mo  :  execute 
mi  :  request(y) 
m 2  :  compute 
m3  :  release(y) 
m<  :  go  to  mo 


—  Pi—  —P2  — 

We  discussed  previously  the  statement  of  accessiblity  for  such  a  program;  namely,  that  if  Pi 
is  waiting  at  l\  it  will  be  eventually  admitted  into  Ci.  This  ensures  only  the  absence  of  infinite 
overtaking,  i.e.,  the  possibility  of  Pi  waiting  at  £y  forever  while  Pi  enters  its  own  critical  section 
infinitely  often.  Yet,  can  we  prevent  overtaking  altogether;  i.e.,  can  we  prevent  P2  from  overtaking 
Pi  and  entering  C2  even  though  Pi  reached  £y  before  P2  reached  mi? 


We  may  impose  fair  responsiveness  on  this  situation  by  requiring  that  the  first  process  to  reach 
its  request  instruction  will  be  the  first  to  be  admitted  into  its  critical  section.  We  may  attempt  to 
state  this  property  by: 


N  [(af^i  P  atm  1)  D  [atC  1  P  a<C2)]  A  [(flimi  P  at£y)  O  ( atC2  P  atCi)]. 


This  states  that  if  P\  gets  to  ly  before  P2  gets  to  mt  then  Pi  will  gain  access  to  Cy  before  P2  gets 
to  C2,  and  similarly  fer  the  dual  case  in  which  P2  gets  to  my  before  P\  gets  to  £y. 

However  we  again  face  the  question  of  appropriate  reference  points.  The  statement  would 
certainly  not  be  true  if  P2  is  currently  at  C2.  In  the  above  example  we  may  be  aided  by  the  location 
variables  in  order  to  select  appropriate  reference  points.  One  correct  specification  of  fairness  of  the 
semaphores  in  this  case  is: 

&  [(a//i  A  at{m4,mo})  3  (atl2  P  atm2)]  A  [{atmy  A  at{l4,lo})  D  (at m2  P  at £3)]. 

This  says  that  if  we  are  at  an  instant  in  which  Pi  is  already  at  ly  while  P2  is  both  out  of  C2  and 
has  not  yet  arrived  at  my  then  Py  will  be  admitted  to  its  critical  section  first,  and  similarly  for  the 
dual  case.  I 


One  should  not  be  confused  by  the  double  appearance  of  the  notion  of  fairness,  once  when 
discussing  fair  scheduling  and  fair  execution  sequences,  and  here  when  discussing  fair  responsiveness 
as  a  program  property.  The  concepts  are  very  similar,  but  previously  we  assumed  fairness  as 
a  restriction  on  execution  sequences,  since  we  were  interested  only  in  fair  execution  sequences. 
Here  we  consider  (and  later  prove)  fairness  as  a  property  of  the  program  that  gives  rise  to  those 
sequences.  A  badly  designed  program  could  fail  to  achieve  fairness  in  responding  even  when  each 
of  the  executions  we  examine  is  fair  as  a  computation,  i.e.,  the  scheduler  may  be  doing  its  best 
but  the  program  failed  to  ensure  correct  (and  timely)  response  to  each  request. 
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Consequently,  when  we  prove  that  a  program  has  the  fair  responsiveness  property  for  every 
proper  computation,  we  assume  that  the  computation  is  scheduled  fairly  and  prove  that  it  responds 
fairly. 
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